The Android Security Rewards Program for the past year has been fruitful, with Google awarding more than $1.1 million to researchers who have reported software vulnerabilities of the Android operating system to the search giant. According to Google, it awarded prizes to 115 researchers who contributed more than 450 qualified vulnerability reports with each researcher awarded roughly around $10,000 on average, with each report worth $2,150. Within the past year, the researchers saw an increase in rewards, with the average pay increased by 52.3%. Within the past year, the search giant awarded more than $300,000 to C0RE team, a group of security researchers that discovered and reported 118 vulnerabilities. Since the program launched in 2015, Google already spent a total of $1.5 million to reward researchers for their efforts in finding and report software vulnerabilities.
The search giant initially designed the rewards program to award the highest possible prize to the researcher who will report a vulnerability of extreme severity, with the highest possible reward given to anyone who could report of a vulnerability that could compromise TrustZone or Verified Boot. However, researchers may now find it increasingly difficult to find bugs or loopholes in the operating system, with no one getting the highest possible reward. Given the circumstances, Google has decided to increase the rewards given to security researchers quite substantially. For example, any researcher who could report a vulnerability that may result in the remote exploitation of the operating system’s kernel will now receive $150,000, which is five times higher than the previous payout of $30,000. Meanwhile, the researchers who report vulnerabilities that compromise Verified Boot or TrustZone will now receive a reward of $200,000, four times higher than the initial reward of $50,000. By increasing the rewards, Google hopes that security researchers will continue to provide reports of vulnerabilities in order to further improve the security of the Android OS.
Aside from working with security researchers to reduce the possible number of vulnerabilities in Android, Google is also working with smartphone manufacturers to ensure that the Android-powered devices are updated to latest security patches available. According to Google, the latest security patches from the last 90 days are available to more than 100 device models from a wide variety of manufacturers. Based on the release list, it is Samsung that has the most number of devices updated to the latest security patches.