The Android Security Rewards Program for the past year has been fruitful, with Google awarding more than $1.1 million to researchers who have reported software vulnerabilities of the Android operating system to the search giant. According to Google, it awarded prizes to 115 researchers who contributed more than 450 qualified vulnerability reports with each researcher awarded roughly around $10,000 on average, with each report worth $2,150. Within the past year, the researchers saw an increase in rewards, with the average pay increased by 52.3%. Within the past year, the search giant awarded more than $300,000 to C0RE team, a group of security researchers that discovered and reported 118 vulnerabilities. Since the program launched in 2015, Google already spent a total of $1.5 million to reward researchers for their efforts in finding and report software vulnerabilities.
The search giant initially designed the rewards program to award the highest possible prize to the researcher who will report a vulnerability of extreme severity, with the highest possible reward given to anyone who could report of a vulnerability that could compromise TrustZone or Verified Boot. However, researchers may now find it increasingly difficult to find bugs or loopholes in the operating system, with no one getting the highest possible reward. Given the circumstances, Google has decided to increase the rewards given to security researchers quite substantially. For example, any researcher who could report a vulnerability that may result in the remote exploitation of the operating system’s kernel will now receive $150,000, which is five times higher than the previous payout of $30,000. Meanwhile, the researchers who report vulnerabilities that compromise Verified Boot or TrustZone will now receive a reward of $200,000, four times higher than the initial reward of $50,000. By increasing the rewards, Google hopes that security researchers will continue to provide reports of vulnerabilities in order to further improve the security of the Android OS.