Google has announced Android Security Rewards, a program to reward security researchers and others who find (and optionally fix) vulnerabilities in the latest available Android versions for current Nexus devices. At present, this means the Nexus 6 and Nexus 9.

We’re launching Android Security Rewards to help reward the contributions of security researchers who invest their time and effort in helping us make Android more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team. The reward level is based on the bug severity and increases for higher quality reports that include reproduction code, test cases, and patches.

Rewards range from $333 for a test case of a low-severity bug up to $8,000 for a “well-written CTS test and patch” for a critical bug … 


Google says that the program applies only to bugs not covered by existing reward schemes, and include bugs found in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules.

There are a bunch of exceptions listed by Google, the main ones being that you have to be the first to report it, and you have to disclose it to Google first. Code for CTS tests and patches must also comply with Android’s Coding Style Guidelines.

For any altruistic types who don’t want the money, Google will offer to double the amount and donate it to the established charity of your choice.

Google operates a similar reward program for Chrome bugs and website vulnerabilities, announcing last August that it had paid out a total of $2M in bounties over a three-year period.


About the Author

Ben Lovejoy's favorite gear