Google Says Paid Out $550,000 to Android Bug Researchers in 2016; Increases Payout

Google added Android to its Vulnerability Rewards Program a year ago. The program essentially asks researchers and developers for submitting bugs in its products and services, and in return Google pays them in cash for relevant high quality reports. Google now says it paid as much as $550,000 (roughly Rs. 3.69 crores) to 82 researchers for submitting various Android security bugs, and is looking to raise the amount going forward.

Google has announced that it will be paying more to the researchers from June 1 for submitting vulnerabilities. The tech giant will pay 33 percent more for high-quality vulnerability reports with proof of concept, and give additional 50 percent more if it is submitted with a CTS Test or a patch. The Android Vulnerability Rewards Program is also called the Android Security Rewards programme.

Furthermore, reward for proximal kernel exploit has gone up from $20,000 (roughly Rs. 13,41,000) to $30,000 (roughly Rs. 20,12,000), and top rewards for exploiting TrustZone and Verified Boot will increase from $30,000 to $50,000 (roughly Rs. 33,54,000).

Google received as many as 250 vulnerability reports last year, out of which 25 percent were received in code that was developed and used outside of the Android Open Source Project. Furthermore, Product manager of Android Security, Quan To revealed in the blog post, “More than a third of them were reported in Media Server which has been hardened in Android N to make it more resistant to vulnerabilities.”

The highest amount was received by Peter Pi, who submitted a total 26 bugs, and cashed in around $75,750. 15 other researchers got at least $10,000 for submitting varied vulnerabilities. Interestingly, the top prize for exploiting a TrustZone and Verified Boot compromise remains unclaimed.

Source