Everyone’s worried about Android vulnerabilities whether or not Google is able to resolve them in time. But last year, Google did portray that they are serious about the vulnerabilities found in Android OS with its Android Security Rewards program. A year later, security firms and researchers seem to have made a killing indeed.
Google has given out about $550,000 to about 82 individuals in rewards in the program’s first year. This would cover about 250 reports that qualified, translating into about $2,200 per reward and about $6,700 given out to every researcher.
@heisecode was the top researcher on that short list. He reported about 26 vulnerabilities himself and has managed to reap about $75,750. About 15 researchers were paid $10,000 or more. There were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
While it may worry many Android users as to how there are so many exploits to begin with, Google seems pretty happy with the success of the program. In fact, it has upped the rewards plan and has decided to pay even more. According to the blog post Google will now pay 33 percent more for a “high-quality vulnerability report with proof of concept.”
A researcher would need a Critical vulnerability report with a proof of concept that it works in order to qualify for the reward that has now been upped from $3,000 to $4,000.
The stakes for kernel exploits have been raised as well. From a jaw dropping $20,000 to $30,000. At the same time, a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise also increases from $30,000 to $50,000.