In June of 2015, Google opened its Android Security Rewards program. The program offered what amounts to cash bounties to anyone who finds vulnerabilities and other bugs within Android and Nexus phones and tablets. This program is basically a specialized extension of Google’s much more broad Security Rewards Program that has been operating since 2010. In addition, though, Google has also been running a similar program—Vulnerability Research Grants—since January of 2015 to encourage experts to find bugs before they even begin their work.
Now a year later, and Google has already paid out more than $550,000 to only 82 individuals who have found a little more than 250 total qualifying vulnerability reports. According to Google, more than a third of these vulnerabilities were reported in the Media Server, an issue which has already been hardened in the new Android N operating system in order to make it yet more resistant to additional vulnerabilities.
Among the 82 payees, Google has identified the user @heisecode as the highest earner. So far, the debugger has filed 26 vulnerability reports for a total bounty of $75,750.
The program has been such a wide success that they plan to continue expanding it with increased rewards for vulnerability reports filed after June 1 of 2016. As a matter of fact, researchers who now submit “high-quality” vulnerability reports—along with proof of concept—can receive at least one-third more earnings. Yes, that is 33 percent higher bounties.
Furthermore, high-quality vulnerability reports accompanied by proof of concept, a CTW test, or a patch (to fix the issue) could receive as much as 50 percent more in bounties. For example, anyone who discovers a “remote or proximal kernel exploit” will earn $30,000 per occurrence (up from $20,000) and the discovery of a “remote exploit chain or an exploit leading to TrustZone or Verified Boot compromise” will earn $50,000, up from $30,000.
Android powers the vast majority of mobile devices in use today, so it makes sense that they would also find creative ways to outsource the very important task of maintaining security. Often, a single department cannot find every bug and, more importantly, it can take a bit of creativity to figure out how breaches might occur. When it comes to creativity it is often best to recruit as many minds as possible to approach the potential problem.