For some time now Google has offered cash rewards to researchers and developers who find and fix software vulnerabilities in its various websites and apps. Now that program is expanding even further, offering rewards for fixing issues in the Android operating system.
The new program is called Android Security Rewards, and was announced today at the Black Hat’s Mobile Security Summit in London. Generally, the program aims to address serious security-related issues, rewarding those who uncover vulnerabilities of critical, high, and moderate severity, though Google notes that it will reward certain patches for low-severity vulnerabilities on a case-by-case basis.
As the Android Security Rewards program only concerns the Android Open Source Project (AOSP), the program only covers vulnerabilities found “in the latest available Android versions for Nexus phones and tablets currently available for sale in the Google Store.” Right now this means only the Nexus 6 and Nexus 9 count. Google has indicated that no other products like the Nexus Player, Android Wear, or Project Tango are included in the program.
That’s a fairly small list, but those who find and fix vulnerabilities for either device do stand to make a fairly tidy sum for their time. The rewards start at $500 for simply finding and reporting a moderate-severity vulnerability. Finding and fixing a bug of critical severity, on the other hand, could get you $8,000, assuming the fix is accepted. Rewards for uncovering certain exploits can gain those who find them up to an extra $30,000.
Since Google began offering rewards for bug fixes in 2010 the company has paid out more than $4 million. Last year alone the company paid out $1.4 million to over 200 researchers. Considering Android’s popularity among developers, this number will likely grow significantly with the introduction of the Android Security Rewards program.
If you’re a developer or security expert, or are simply interested in learning more about the program, head over to Google’s Android Security Rewards page for more information.
- Microsoft misses another Edge-related 90-day security disclosure deadline
- Off-the-shelf smart home devices are a lot less safe than you think, report says
- Nowhere is safe now that AMD has suffered its own Meltdown
- AMD is working on fixes for the reported Ryzenfall, MasterKey vulnerabilities
- Microsoft will pay you up to $250,000 to find Spectre-like flaws