14 DAY TRIAL // On the one-year anniversary of the Android Security Rewards Program, Google has announced it will increase cash rewards after nobody was able to crack Android's TrustZone or Verified Boot with a remote exploit.
Google says that it received and approved over 250 valid vulnerability rewards in the past year, but unfortunately, over a quarter of these were in the code of third-party OEMs, such as kernel and device drivers bugs.
The company claims that it paid over $550,000 to 82 security researchers, which means the average bug payout was $2,200 per bug or $6,700 per researcher.
One security researcher made over $75,000 just from Android bugs
Some researchers were busier than others, and Google announces that its most prolific bug hunter was @heisecode, who received $75,750 from 26 different vulnerability reports.
Google hasn't revealed who received the biggest bug bounty, but it has stated that 15 researchers earned more than $10,000 from multiple reports.
Because nobody was able to find a remote code execution in the Android kernel that resulted in a TrustZone or Verified Boot compromise, the operating system's most important and well-protected zone, Google has decided to entice researchers to have another go at this problem.
Google antes up bug payouts for high-quality vulnerability reports
The company says it would pay $50,000 for a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise. Previously, Google was willing to pay $30,000.
Additionally, the company is raising the reward for a remote or proximal kernel exploit from $20,000 to $30,000.
The reward for an exploit or chain of exploits leading to a TrustZone or Verified Boot compromise via an installed app or with physical access to the device has remained $30,000.
On top of these, Google has made it clear that quality vulnerability reports are welcome by also increasing all rewards by 33 percent if they include a proof of concept. Researchers will also benefit from a 50 percent increase in rewards if, besides the proof of concept, their reports also contain a compatibility test suite for older Android versions.
Back in March, Google also increased the maximum payout for a persistent compromise of a Chromebook device operating in guest mode, stating that researchers who achieve such a feat would receive a reward of $100,000.
Nice! Google increased Android reward for bugs filed after 6.1! And thanks Google named me as the top researcher! https://t.co/4Yadh3VxVV — Peter Pi (@heisecode) June 16, 2016