|Google Increases Android Bug Rewards
|Written by Kay Ewbank
|Thursday, 23 June 2016
Google is increasing the amount it pays as rewards for finding bugs and security vulnerabilities in Android with a new upper limit of $50,000
Android Security Rewards were introduced a year ago, joining the Google Vulnerability Rewards Program. The initial offer was of up to $38,000 per report that Google could use to fix vulnerabilities and protect Android users.
According to a post on the Android Developers blog, during the year Google has received 250 qualifying vulnerability reports. More than a third of the problems were reported in Media Server, and this has now been hardened in Android N to make it more resistant to vulnerabilities.
The average reward paid out over the year was $2,200 per reward. 82 people received rewards, with each receiving an average of $6,700.
The highest amount paid to a single person was $75,750 for 26 vulnerability reports, and 15 researchers were paid $10,000 or more. There were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
The changes to the program mean high quality vulnerability reports with proof of concept will receive 33% more, so that the reward for a Critical vulnerability report with a proof of concept has increased from $3000 to $4000.
A high quality vulnerability report with a proof of concept, a CTS Test, or a patch will receive an additional 50%. The reward for a remote or proximal kernel exploit has gone up from $20,000 to $30,000, and the reward for a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise has increased from $30,000 to $50,000.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 23 June 2016 )