Google has paid security researchers millions of dollars since launching its bug bounty program in 2010. The company today expanded its Android Security Rewards program because “no researcher has claimed the top reward for an exploit chain in two years.” Right. Well, the program has only been around for two years — a Google spokesperson confirmed that nobody has ever claimed the top reward.
The Android team is making two bug bounty increases today. The reward for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise has quadrupled from $50,000 to $200,000. The reward for a remote kernel exploit has quintupled from $30,000 to $150,000. Want to make six figures? Just figure out how to hack Android.
Since the Android Security Rewards program launched, Google has rewarded security researchers over $1.5 million. The company today also shared that in the second year of the program, it received over 450 qualifying vulnerability reports from researchers. In the past year, the average pay per researcher jumped by 52.3 percent and the payout doubled to $1.1 million. 115 individuals were paid an average of $2,150 per reward and $10,209 per researcher.
You can expect the payouts to continue increasing, especially if someone manages to claim either of the two new rewards. Google is clearly hoping to incentivize security researchers to dedicating more time trying to hack its mobile operating system.
Last month, Google shared that there are over 2 billion monthly active Android devices. The company needs all the help it can get to protect these users.
Bug bounty programs are an excellent addition to existing internal security programs. They help motivate individuals and groups of hackers not only to find flaws, but to disclose them properly when they do, instead of using them maliciously or selling them to parties that will.
But this is just one piece of the puzzle. Google today also shared a small update on its recent security strategy to collaborate closer with Android manufacturers: Over 100 device models have a majority of their deployed devices running a security update from the past 90 days. Finding bugs and squashing them in Android is one thing, but the company is also making more of an effort to actually have those fixes trickle down to actual devices via monthly security updates.