In a recently released report, Google has revealed that they have paid more than $550,000 so far to security researchers for discovering and reporting crucial vulnerabilities. The news comes exactly a year after ‘Android Security Rewards‘ was added to the Google Vulnerability Rewards Program.
The main purpose of Android Security Rewards was to make Android for mobile more secure and less prone to vulnerabilities. Over the course of one year, Google has received around 250 qualifying vulnerability reports. While the program is focused on Nexus devices, more than a quarter of the issues were reported in code that is developed and used outside of the Android Open Source Project.
Google also gave an interesting rundown of the program’s first year:
- They paid over $550,000 to 82 individuals. That’s an average of $2,200 per reward and $6,700 per researcher.
- Their top researcher, @heisecode, was paid $75,750 for 26 vulnerability reports.
- 15 researchers were paid $10,000 or more.
- There were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
Google also announced that they are improving the program and the amount of high quality vulnerability reports will automatically be higher. For example, the reward for a critical vulnerability report with a proof of concept will be increased from $3000 to $4000. While the maximum payout has been increased from $30,000 to $50,000.