A year ago, Android was added to the Google Vulnerability Rewards Program that pays researchers for submitting security bugs that affect various products and services. Google has since paid over $550,000 in rewards and is raising the amount going forward.
In total, over 250 qualifying vulnerability reports were submitted by 82 individuals. This resulted in an average of $2,200 per reward and $6,700 per researcher. The top researcher earned $75,750 for 26 vulnerability submissions and 15 researchers received $10,000 or more. For a full list, head to the Android Security acknowledgements page.
There were no payouts for the top reward of a complete remote exploit chain leading to TrustZone or Verified Boot compromise. More than a third of the submitted reports concerned the Media Server responsible for playback and which led to Stagefright. Google has since taken a number of steps to harden the system in Android N.
The program is aimed at Nexus devices, but more than a quarter of the issues were reported in code that is developed and used outside of the Android Open Source Project. This include kernel and device driver bugs from third-party vendors.
Starting June 1st, Google will begin paying researchers more for submitted vulnerabilities. High-quality vulnerability reports with proof of concepts will net 33% more and reports with a proof of concept, CTS Test, or a patch will receive an additional 50%. Rewards for a remote or proximal kernel exploit increase from $20,000 to $30,000. Lastly, the top rewards for exploiting TrustZone and Verified Boot will increase from $30,000 to $50,000.