Just last year, Android created rewards program for bug hunts to join Google’s longstanding Vulnerability Rewards Program. As an incentive to inventive security experts, the company announced that they would be offering up to $38,000 per report that could be used to increase the operating system’s security. Now the Android Developers blog is reporting that this program has paid out over $550,000 since its inception.
These rewards have gone to more than 250 vulnerability reports that were submitted by 82 different people. The most cash gone to a single recipient is $75,750, which went to researcher “Peter Pi,” discoverer of 26 meaningful vulnerabilities. On average, about $2,200 were awarded per find, and participating researchers snagged an average of $6,700. However, 15 researchers snagged over $10,000. The dev team reports that there were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise, which is pretty good news to hear.
While the program focuses on Nexus devices, which offer the ‘purest’ Android experience available, the vulnerabilities discovered through this program affect the Android ecosystem at large. The good news for this program going forward is that they’re actually going to start pouring even more money into it. Payouts for reports has been increased 33% across the board for all types of discovered vulnerabilities, and the max payout cap has risen to $50,000. Pretty tempting for security-savvy members of the Android community.
If you’re interested in getting involved in the Android Security Rewards program, head on over to their rules page to get all the deets you need. Also hit the comments and let us know what you think of this security initiative.