It’s been a year now since Google announced they would extend their Vulnerability Rewards Program to Android, promising to pay up to $38,000 for reports on security issues in Android. Today the Google Security PR team has reflected on the past 12 months, looking at how much they’ve paid, the bugs they’ve squished thanks to the program and who the biggest contributor is.
There’s been a good response to the Android Security Rewards program in the last year, with over 250 qualifying vulnerability reports received. A third of those reports were reported in Media Server, which Google says has been hardened against the possibility for bugs for the upcoming Android N release.
With that many vulnerabilities reported, that’s a lot of money, a lot of people and a lot of bugs, a summary of the last year includes:
- We paid over $550,000 to 82 individuals. That’s an average of $2,200 per reward and $6,700 per researcher.
- We paid our top researcher, @heisecode, $75,750 for 26 vulnerability reports.
- We paid 15 researchers $10,000 or more.
- There were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
Though the program focuses on Nexus devices, it’s all about Android and improving security for the platform as a whole. Google says that a quarter of issues reported were for code ‘developed and used outside of the Android Open Source Project’. Google welcomes these reports saying that fixing these bugs improves the security of the mobile industry as a whole.
Moving forward, Google intends to make reporting Android security vulnerabilities even more enticing, upping the rewards value for issues reported after the 1st of June. Google lists the new value for issues like this:
- We will now pay 33% more for a high-quality vulnerability report with proof of concept. For example, the reward for a Critical vulnerability report with a proof of concept increased from $3000 to $4000.
- A high quality vulnerability report with a proof of concept, a CTS Test, or a patch will receive an additional 50% more.
- We’re raising our rewards for a remote or proximal kernel exploit from $20,000 to $30,000.
- A remote exploit chain or exploits leading to TrustZone or Verified Boot compromise increase from $30,000 to $50,000.
If you’re a security researcher and find an Android bug, it’s worthwhile talking to Google about the issue to see what you can get for the bug you’ve found.