Google Will Pay You up to $40,000 to Find Bugs in Android

Following a successful program in 2014 when Google paid out more than $ 1.5 million to security researchers to find vulnerabilities and security flaws in its Chrome browser, the tech giant is now offering a new rewards program for cybersecurity researchers called the Android Security Rewards Program.

Announced at the Black Hat Mobile Summit in London, the program currently covers vulnerabilities found in the latest Android versions for Google’s Nexus brand of phones and tablets, with the list of devices to be expanded over time.

Eligible vulnerabilities and rewards

Eligible bugs that are discovered by security researchers include those found in the AOSP (Android Open Source Project) code, the OEM (Original Equipment Manufacturer) code that includes libraries and drivers, the kernel used in the operating system along with the TrustZone OS and other modules running in the OS. Code that runs in the chipset firmware including those that are non-android code will still qualify if they have effect the security of the operating system.

The following table shows an overview on how rewards are measured and dished out to security researchers:

  • Base amounts are the minimum rewards offered for different severities dependent on the bugs discovered.
  • Google promises 1.5x the base amount if the bug report also includes a standalone test case (the vulnerable file)
  • The base reward is doubled (2x) for a patch that provides a fix for the vulnerability or for a CTS (Compatibility Test Suite) test that detects the issue.
  • For an entry that includes a CTS test and a patch together, up to 4x (4 times the base fare) is offered as a reward modifier.

“We designed the program to make sure that the entire Android ecosystem will benefit from this vulnerability research,” Android security engineer Jon Larimer said. “In addition to paying rewards for vulnerabilities, this program offers even larger rewards for security researchers that invest in tests and patches that will make the entire ecosystem stronger.”

The very top end reward for a critical Android bug can go up to $40,000, which would comprise of a chain of attacks which compromises Android TrustZone or Verified Boot from an installed application.

The decision to expand its rewards program from Chrome to its Android platform was inevitable, with Adrian Ludwig, the Google’s lead of Android Security saying, “We see mobile becoming arguably the most important way people connect to the internet,” before adding “our goal is that this could be a full-time research and a very well-paid opportunity,” for security researchers and white-hat hackers to find vulnerabilities and flaws in Android.