Last year Android was included in the Google Vulnerability Rewards Program that pays researchers to submit security-related bugs affecting the company’s products. The search giant has since paid more than $550,000 in rewards, and is set to increase the amount in future.
To date, more than 250 qualifying vulnerability rewards have been submitted by 82 people. That meant an average of $2,200 for each reward, and $6,700 for each researcher. The most prolific researcher earned $75,750 for 26 submissions, and fifteen researchers received $10,000 or more.
The were however no payouts for the topmost reward of a complete ‘remote exploit chain’ leading to TrustZone or Verified Boot compromises. Over a third of all the reports submitted related to the Media Server responsible for playback, and which also led to the well known Stagefright exploit. Google has since taken numerous steps to make the system more robust in the latest version of Android.
The rewards program is mainly aimed at its own Nexus devices, but more than a quarter of all issues involved code developed and used outside the Android Open Source Project – includes kernel and device driver bugs from third parties.
From June the first this year, Google has started paying researches more cash for submitted vulnerabilities. “High quality” reports with proof of concepts will receive a third more and those with a patch will receive another fifty percent. The top rewards for TrustZone and Verified Boot will now increase from $30,000 to $50,000.