Google wrapped up the first year of its Android Security Rewards program this week, a span of time that saw the company pay out just north of half a million dollars to security researchers who helped identify vulnerabilities in the mobile operating system.
In all, the company paid 82 researchers a combined $550,000 – an average of $2,200 per reward and $6,700 per researcher – according to Quan To, a program manager on Google’s Android Security team, who broke down the numbers in a blog post on Thursday.
To clarified that Google paid 15 different researchers $10,000 or more, including one who goes by the handle @heisecode, who earned $75,750 for reporting 26 vulnerabilities.
Adrian Ludwig, Google’s lead engineer for Android security, announced the company was adding Android to its Vulnerability Rewards Program exactly one year ago Thursday, at Black Hat’s Mobile Security Summit in London. At the time the biggest bounty the company claimed it would offer was $38,000 for vulnerabilities in Google’s Nexus 6 and 9. While the scope of the program has mostly centered around vulnerabilities in Google’s Nexus devices, bugs in code, like Android Open Source Project (AOSP), OEM, the kernel, and so on, have also been accepted.
In fact, To said a quarter of the bugs reported to Google during the last 365 days have pertained to code that’s used outside the AOSP, something that’s been beneficial for mobile security overall.
“Fixing these kernel and device driver bugs helps improve security of the broader mobile industry (and even some non-mobile platforms),” To said.
Similar to what the company did in the infancy of its Vulnerability Rewards Program, Google on Thursday announced it would be upping the ante on payouts going forward.
For reports filed after June 1 this year Google will:
- Pay 33 percent more for what it deems a high-quality vulnerability report with proof of concept.
- Pay 50 percent more for a high quality vulnerability report with a proof of concept, CTS Test, or patch.
- Raise the amount it will pay for a remote or proximal kernel exploit, from $20,000 to $30,000.
- And raise the amount it will pay for a remote exploit chain or exploits that lead to a TrustZone or Verified Boot compromise, from $30,000 to $50,000.
To points out that no one was able to successfully compromise TrustZone or Verified Boot in the past year, meaning no one qualified for the program’s top payout in 2015. TrustZone is an isolated piece of technology that helps facilitate an array of client and server computing platforms while Verified Boot is a capability that helps guarantee the integrity of device software; it starts from the hardware root of trust to the system partition.
Google has had its hands full, especially over the last year, patching a series of vulnerabilities in Android’s Mediaserver component. The playback engine regularly interacts with the kernel, making it a ripe target for attackers, especially in the wake of last summer’s Stagefright flaws.