Security pros, take note: Google’s paying out some big money for bug fixes.
In a new posting on the Android Developers Blog, Quan To, program manager for the Android Security team, stated that the company had paid out a grand total of $550,000 to 82 individuals who had discovered vulnerabilities in Android code over the past year. That comes to an average of $2,200 per reward (and $6,700 per researcher).
Some 15 researchers scored payouts of $10,000 or more. One bug-hunter, @heisecode, earned $75,750 from 26 vulnerability reports.
No researchers have managed to land Google’s top bug-hunting “prize,” a complete remote exploit chain leading to a compromise of either Verified Boot or TrustZone. Anyone who discovers this vulnerability can earn $50,000.
Starting June 1, Google has altered the terms of its vulnerability-reports program. The company will now pay 33 percent more for “a high-quality vulnerability report with proof of concept.” If that vulnerability report comes with a combination of proof of concept, a CTS Test, or a patch, Google will pay out 50 percent more. Rewards for a remote or proximal kernel exploit now stand at $30,000 (up from $20,000).
“All of the changes, as well as the additional terms of the program, are explained in more detail in our Program Rules,” To wrote. “If you’re interested in helping us find security vulnerabilities, take a look at Bug Hunter University and learn how to submit high quality vulnerability reports.”
The latest version of Android, codenamed N, features more robust notification enhancements, multi-window support, and other features. If you’re a security researcher, you may also find some bugs in its code, as well.