+ Friday October 18th, 2019

As part of their security program that aims to track, find and fix security holes in their products, Google pays developers who reports issues. Today, Google has announced they’re expanding their Security Rewards Program to Android.

The new program will be looking for vulnerabilities which affect Google Android devices for sale in the online Google Store in the US – specifically the Nexus 6 and Nexus 9 – although this will expand over time as Google announces new devices. What is Google looking for? In Google’s wordsd :

Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

What this doesn’t cover however is bugs or vulnerabilities in custom ROMS that proliferate for Nexus devices.

So, if you find a bug that is eligible, what’s it worth? The reward amount is based on the severity of the vulnerability, as well as if you simply report the bug, report the bug in a well researched way, or report the bug and provide a CTS patch. There’s various reward multipliers from 1.5x to 4x the normal rewards, as well as bonuses of between $20,000 to $30,000 for targeted attacks which compromise ASLR, NX and the sandboxing that Google has setup for Android to protect users, but as a general rule, the payment system looks something like this:

Severity Bug Test case CTS / patch CTS+Patch
Critical $2,000 $3,000 $4,000 $8,000
High $1,000 $1,500 $2,000 $4,000
Moderate $500 $750 $1,000 $2,000
Low $0 $333 $500 $1,000

Under their ‘Project Zero’, Google has given themselves (and other companies involved) up to 90 days to patch the vulnerabilities before going public.

If you’re into looking at Google Code and have some issues you’d like to report, Google wants to hear about them. For more information on how to report vulnerabilities, or rewards head to the Android Security Rewards support page for more information.

Source: Google Online Security Blog, and Android Security Rewards Program.

Daniel Tyson  


Dan is a die-hard Android fan. Some might even call him a lunatic. He's been an Android user since Android was a thing, and if there's a phone that's run Android, chances are he owns it (his Nexus collection is second-to-none) or has used it.

Dan's dedication to Ausdroid is without question, and he has represented us at some of the biggest international events in our industry including Google I/O, Mobile World Congress, CES and IFA.

newest oldest most voted
Notify of
Ausdroid Reader

Well since Google have no control over custom ROM’s is would be rather silly of them to pay out bug bounties on them.

Check Also

Google announce Android 10 (Go edition), coming later this season

Not everyone can afford or have access to high-end smartphones, or even mid-range smartphones and …