A few years ago Google introduced their Android Security Rewards program. It is essentially a way for those inclined that way to report any bugs they find that can lead to a security issue associated with the Android OS and get paid for it.
For the users who’ve got the capacity to find the right bugs, there have been over 4 million US dollars paid out via the program since 2015. That has the potential to skyrocket with some increased payout offerings from the team at Google:
We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.
It’s not just deep-diving in code that has the potential to bring reward though, even finding a way to bypass the lockscreen could bring you some reward as this (clearly) has the potential to compromise the security of a significant number of devices.
There’s a lot of people, a lot smarter than me involved in these sorts of programs and the top payout so far in 2019 has been $201,337.00 for identifying a remote code exploit. This report also resulted in change to Chrome Desktop.
Personally I feel comforted by the transparency of this process and the call for parties external to Google being involved in the research.