Google has had a security rewards program in place since 2010, but it wasn’t until last June that it added Android to the eligible products list. A year later, Google is reporting that it has received more than 250 vulnerability reports for Android and has paid out $550,000 to 82 security researchers for their efforts.
At the Google I/O event in May, Stephan Somogyi, product manager of security and privacy at Google, stated that Google in total paid out $2 million in 2015 to more than 300 security researchers for vulnerability disclosures.
Quan To, program manager of Android security at Google, noted in a blog post that Peter Pi was the top researcher for Android vulnerabilities over the program’s first year. Pi reported 26 vulnerabilities to Google and for his efforts was awarded $75,750. Google paid out $10,000 or more in bug bounty to 15 researchers, according to To.
Among the most well-known of all Android vulnerability disclosures are those related to the Stagefright media library. Zimperium security researcher Joshua Drake disclosed the first series of Stagefright flaws in July 2015, with an additional set disclosed in October.
In a Twitter reply to eWEEK, Drake said the total bounty he received from Google for his Stagefright-related disclosures was more than $50,000.
Google’s Android security program dramatically accelerated after the initial Stagefright disclosure, with the company moving to a monthly update cycle for Android security patches in August 2015. In the first six months of 2016, Google has patched 163 vulnerabilities, including multiple issues in the mediaserver component, which is in the same part of the Android operating system as the Stagefright media library.
For the second year of Google’s Android vulnerability award program, researchers will be eligible to earn even more money for security disclosures. Google will now pay 33 percent more for a high-quality vulnerability report with proof of concept. Those researchers who submit a high-quality vulnerability report together with a proof of concept and a patch will now receive a 50 percent higher award.
At the high end, Google will now pay $30,000 for a remote kernel exploit, up from $20,000 in 2015. A remote exploit that leads to a compromise of verified boot on Android will now earn a researcher $50,000, up from $20,000 last year.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.