A year ago today Google announced Android Security Rewards, an expansion of its Vulnerability Rewards Program. Find a vulnerability, tell Google about it, help them fix the issue, and take home money. That's the concept, and it's a common one in the tech industry.
Google handed out over half a million bucks to 82 individuals over the past year. This averaged out to $2,200 per reward. Researchers averaged higher payouts, at $6,700. One, @heisecode, received $75,750 for 26 vulnerability reports. 15 researchers received $10,000 or more.
No one received the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise. Does that mean they're perfectly secure? No, but they're demonstrably tough to break.
Going forward, Google is increasing bounty rewards. The amount for a vulnerability report with proof of concept is going up 33%. That bumps $3,000 up to $4,000 (pictured above).
Anyone who manages a remote or proximal kernel exploit can snag $30,000, up from $20,000. The highest reward remains a TrustZone or Verified Boot compromise, which will now land someone $50,000 instead of $30,000.
Those are the prizes. As for the rules, here you go. Happy hacking.
- Android Developers Blog