Google’s paid out more than $ 4 million since 2010 across its various vulnerability disclosure programs. In 2014, it paid out $1.5 million alone. Today, the company is launching a new program focused specifically on Android.
Called Android Security Rewards, it will pay out a range of cash bonuses based on the type of vulnerability reported and the amount of work put in. Submitting a simple, reproducible bug description would net you roughly $2,000.
A researcher who finds a bug, produces a test case, produces a patch and produces an exploit for a remote critical issue could be receiving somewhere in the region of $38,000, which provides a pretty big lure to seek out weaknesses in the OS, Android’s head of security Adrian Ludwig explained to me.
It might seem backwards, but with this new program and its Chrome Reward or Patch Reward (or any of its other security initiatives) Google is really hoping to pay out as much money as possible. More rewards mean more bugs found and eliminated, making for an overall more secure platform.
Another shift underway is the way in which Google will notify developers about potential vulnerabilities in apps on Google Play. Until now, it’s just been telling them about the issues.
For example, it began telling developers to upgrade to the new version of OpenSSL a year ago.
However, from early July, it will stop allowing updates to be rolled out until a it’s using the new version of OpenSSL.
“We’re transitioning from notifying developers and giving them information to using Google Play as a way to incentivize developers to fix these issues,” Ludwig said.
If you’re a security researcher looking to get started on the Android Reward program, it’s worth pointing out the only vulnerabilities found on Nexus 6 and 9 devices are eligible.