Google has announced that it has paid out more than $3 million through its Android and Play Security Rewards programs. The money goes out to researchers who help Google find bugs which makes the whole ecosystem that much more secure. Google pays out different amounts of prize money based on the vulnerability and the corresponding fix.
Android Security Rewards has just completed its third year where it received 470 qualifying vulnerability reports. The firm stated that average pay per researcher jumped by 23%, paying out roughly $1 million per year. According to Google, the ASR makes up the majority $3 million.
Some highlights for this year were:
- There were no payouts for our highest possible reward: a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
- 99 individuals contributed one or more fixes.
- The ASR program's reward averages were $2,600 per reward and $12,500 per researcher.
- Guang Gong received our highest reward amount to date: $105,000 for his submission of a remote exploit chain.
Its other program, the Google Play Security Rewards, saw less activity than the ASR. The Google Play Security Rewards Program was released with the aim to encourage security research into popular Android apps on Google Play. Researchers reported over 30 vulnerabilities to Google through the program so far, earning over $100,000 combined.
Google collaborates with hardware manufacturers to deliver these patches to customers, for a full list be sure to check out Google’s announcement. If you’re interested in getting involved, read the program rules and the Bug Hunter University to learn how to submit complete reports.