Google has awarded more than $550,000 (£383,035) in total to 82 researchers for finding security flaws within the Android mobile operating system, the company announced on 16 June. Marking the first anniversary of its Android Security Rewards programme's launch, the company is also raising the stakes for bug bounty hunters to encourage higher quality reports and make it easier for the company to assess whether a bug is valid.
"A year ago, we added Android Security Rewards to the long standing Google Vulnerability Rewards Program," Google's Android Security programme manager Quan To wrote in a blog post. "We offered up to $38,000 per report that we used to fix vulnerabilities and protect Android users. Since then, we have received over 250 qualifying vulnerability reports from researchers that have helped make Android and mobile security stronger."
He also adds that more than a third of those reports pertained to Media Server "which has been hardened in Android N to make it more resistant to vulnerabilities."
According to the post, the top bug hunter in 2015 was Peter Pi who received $75,750 in total for 26 vulnerability reports. Fifteen other individuals received at least $10,000 in payouts as well. Google also reports that the average was $2,200 per reward and $6,700 per researcher.
From 1 June, Google will pay 33% more for a high-quality bug report with proof of concept and throw in a 50% bonus if you can provide a patch for the issue as well. Researchers who report a remote or kernel exploit will now receive $30,000, up from $20,000. Additionally, anyone who breaks the ARM chip's TrustZone or Verified Boot will receive $50,000 instead of $30,000.
Google's Android Security Rewards programme was launched in June 2015, just a month before the first StageFright bugs attacked Android devices and prompted the tech giant to beef up its security efforts. As a result, the company started releasing monthly Android patches to safeguard its devices.
Used to detect and squash bugs before they wreak havoc, bug bounty programmes have proven to be a useful security measure for several tech companies and firms, in addition to their in-house security team. In January, Google announced that it doled out over $200,000 to security researchers who contributed to its Android VRP since its launch.
The company says that although its programme does focus on Nexus devices, it is benefiting the mobile industry as a whole as well.