Google Pays Out $550K in Android Bug Bounties in One Year | eWeek
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Google Pays Out $550K in Android Bug Bounties in One Year

Android security
Written By
Sean Michael Kerner
Sean Michael Kerner
Jun 19, 2016
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Google has had a security rewards program in place since 2010, but it wasn’t until last June that it added Android to the eligible products list. A year later, Google is reporting that it has received more than 250 vulnerability reports for Android and has paid out $550,000 to 82 security researchers for their efforts.

At the Google I/O event in May, Stephan Somogyi, product manager of security and privacy at Google, stated that Google in total paid out $2 million in 2015 to more than 300 security researchers for vulnerability disclosures.

Quan To, program manager of Android security at Google, noted in a blog post that Peter Pi was the top researcher for Android vulnerabilities over the program’s first year. Pi reported 26 vulnerabilities to Google and for his efforts was awarded $75,750. Google paid out $10,000 or more in bug bounty to 15 researchers, according to To.

Among the most well-known of all Android vulnerability disclosures are those related to the Stagefright media library. Zimperium security researcher Joshua Drake disclosed the first series of Stagefright flaws in July 2015, with an additional set disclosed in October.

In a Twitter reply to eWEEK, Drake said the total bounty he received from Google for his Stagefright-related disclosures was more than $50,000.

Google’s Android security program dramatically accelerated after the initial Stagefright disclosure, with the company moving to a monthly update cycle for Android security patches in August 2015. In the first six months of 2016, Google has patched 163 vulnerabilities, including multiple issues in the mediaserver component, which is in the same part of the Android operating system as the Stagefright media library.

For the second year of Google’s Android vulnerability award program, researchers will be eligible to earn even more money for security disclosures. Google will now pay 33 percent more for a high-quality vulnerability report with proof of concept. Those researchers who submit a high-quality vulnerability report together with a proof of concept and a patch will now receive a 50 percent higher award.

At the high end, Google will now pay $30,000 for a remote kernel exploit, up from $20,000 in 2015. A remote exploit that leads to a compromise of verified boot on Android will now earn a researcher $50,000, up from $20,000 last year.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Sean Michael Kerner
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information