Google’s Android Security Rewards has given researchers over $550,000 in 1 year

Google announced today that it has paid out more than $550,000 to 82 security researchers who have detected vulnerabilities within the Android mobile operating system. This was done under the auspices of the company’s Android Security Rewards program, which launched last year.

Over 250 “qualifying” vulnerability reports have already been submitted to Google. More than a third of these pertained to Media Server, which the company said it has improved to make it more resistant to vulnerabilities. Over 25 percent of the issues received were reported in code that’s developed and used outside of the Android Open Source Project.

Out of the $550,000 dispensed, Google gave average rewards of $2,200 to $6,700 per researcher. The highest amount of $75,750 was given to Peter Pi, who submitted 26 vulnerability reports. Fifteen researchers received at least $10,000 in payouts. The company revealed that the top prize for a complete remote exploit chain leading to a TrustZone or Verified Boot compromise remains unclaimed.

Following the program’s inaugural year, Google has made changes that will lead to payout increases. Specifically, the company will pay 33 percent more for high-quality vulnerability reports with proof of concept and 50 percent more with the addition of a CTS Test or a patch.

In addition, rewards for remote or proximal kernel exploits have gone up from $20,000 to $30,000. A remote exploit chain or exploits leading to TrustZone or Verified Boot compromises are also changing, and will now pay up to $50,000.

Google has always had a bug bounty, but last year the company expanded the program to Android in order to compensate those who find and responsibly disclose vulnerabilities in the operating system. Since 2010, it has paid security researchers more than $4 million in rewards across all its programs, and it is spending more every year.