Google ups reward for Android bugs to $200K

SC Magazine

While Android often gets a bad rap for inadequate security, that reputation is based on former iterations of the Google operating system. Newer generations have greatly strengthened security – to the point where no white hats have claimed the top reward for reporting a vulnerability in two years.

As a consequence, the company has pumped up its Android Security Rewards program, with as much as $200,000 being granted for its top prize: a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise, according to a post on the Google blog.

Since it launched two years ago, Google's bug bounty program has awarded more than $1.5 million to researchers who submit vulnerability reports. Payouts have averaged around $2,000, but could rise, according to the severity of the exploit, to as much as $10,000.

But, as of June 1, the company will be paying out bigger bonuses for vulnerability reports. The amount paid for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise increases from $50,000 to $200,000. And the payout for a remote kernel exploit increases from $30,000 to $150,000.