Google recently, announced that they have paid over $550,000 to 82 individuals since it was launched back in 2015. “We paid over $550,000 to, 82 individuals. That’s an average of $2,200 per reward and $6,700 per researcher. We paid our top researcher, @heisecode, $75,750 for 26 vulnerability reports.” Google had also mentioned the rundown of the Android Vulnerability Reward program’s first year:
We paid over $550,000 to, 82 individuals. That’s an average of $2,200 per reward and $6,700 per researcher. We paid our top researcher, @heisecode, $75,750 for 26 vulnerability reports. We paid 15 researchers $10,000 or more. There were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise. Google had also said about few improvements to Android Vulnerability Reward program “We’re constantly working to improve the program and today we’re making a few changes to all vulnerability reports filed after June 1, 2016.”
Google also mentioned that they have received over 250 qualifying vulnerability reports from researchers and they also said they will be rewarding more for a high-quality vulnerability report “We will now pay 33% more for a high-quality vulnerability report with proof of concept. For example, the reward for a Critical vulnerability report with a proof of concept increased from $3000 to $4000.” Google also said that they were raising the reward for remote or proximal kernel exploit from $20,000 to $30,000. They will be rewarding $50,000 for discovering a remote exploit chain exploits leading to TrustZone or Verified Boot compromise. The company wants the researcher to find and report bugs in Android because it is important for the company. That’s the reason Google is willing to pay more for finding Vulnerabilities.