Google's Android Security Rewards bug bounty program is 1-year-old, and the company has already paid out more than $550,000 for a total of 250 bugs found.
Android Security Rewards launched back in June 2015 as an addition to the Google Vulnerability Rewards Program and it proved to be quite fruitful. One year in and 82 people received $550,000 in total for finding security flaws that could enable hackers to compromise Android devices.
"More than a third of them were reported in Media Server which has been hardened in Android N to make it more resistant to vulnerabilities," Google points out.
That impressive $550,000 figure is actually more than double the amount Google announced back in January, six months into the program. Nevertheless, Google is celebrating the program's one-year anniversary by raising the stakes even further.
Security researchers are now encouraged to submit higher-quality reports, making it easier for Google to assess whether a bug is indeed valid or not. As expected, the payouts and incentives increase as well. From June 1, a high-quality bug report with a proof of concept is worth 33 percent more and researchers will also get a 50 percent bonus if they provide a patch to go along with their bug report. For a Critical vulnerability report with a proof of concept, that 33 percent increase translates to a $1,000 boost from $3,000 to $4,000.
Moreover, breaking the TrustZone or Verified Boot on Android will net payments of $50,000 instead of the previous $30,000, while the reward for a proximal or remote kernel exploit is increased from $20,000 to $30,000.
With Android powering the majority of mobile devices currently in use, security is of utmost importance. The Stagefright bugs that recently ravaged Android devices prompted Google to increase its efforts even further and challenged OEMs to keep up. Google's monthly security patches emerged as a result of the Stagefright fright, and OEMs are under increased pressure to deliver the said updates in a timely manner to end users.
Bug bounty programs, meanwhile, are a great way to prevent various vulnerabilities from actually being exploited. While the monthly Android patches came as a response to the Stagefright bugs after many Android devices were already compromised, the bug bounty programs are more about plugging flaws before they get to wreak havoc.
Google says that although its Android Security Reward program focuses on Nexus devices, it's also benefiting the mobile industry as a whole.
