To mark the first anniversary of Google’s Android Security Rewards program the company has announced an increase in how much it will pay for vulnerability reports.
For what Google calls a “high-quality vulnerability report with proof of concept,” security researchers will see payments increase 33% from $3000 (£2100, €2700) to $4000 (£2800, €3500). A high-quality vulnerability report with a proof of concept, a CTS Test, or a patch will get 50% more, Google says.
The more complex the vulnerability, the higher the rewards. A remote or proximal kernel exploit will now net $30,000 (£21,000, €26,700) instead of $20,000, and the reward for discovering a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise has risen from $30,000 to $50,000 (£35,000, €44,400).
Android Security Rewards was added to Google’s Vulnerability Rewards Program to focus specifically on exploits and vulnerabilities within Google’s mobile operating system. It was launched to help secure Google’s range of Nexus devices, such as smartphones and tablets.
Since its introduction a year ago, Google says the program has received over 250 qualifying vulnerability reports, with a total of $550,000 (£384,500, €489,000) being paid out to 82 different researchers. The top researcher received $75,750 (£53,000, €67,300).
Most of the reports concerned vulnerabilities within the Android Media Server; Google says it has used these reports to improve security for the upcoming Android N release. Google also points out that many of the bugs were found in code that isn’t unique to Android.
The Android mobile operating system has been repeatedly criticized for its lax security. While Google has recently taken steps to improve security by offering monthly updates, millions of users across the world remain at risk by using out of date versions of Android. A report this year put the figure at 90% of all Android users.
So while Google can find and fix vulnerabilities and push out patches to those users running the latest version on a Nexus device, many other users have to wait for their network provider and device manufacturer to push out the updates.