Android bugs made up 10 percent of Google's $2m bounty payouts - in just five months

Google paid out over $2m to security researchers last year for reporting flaws in Google products, of which $200,000 went on bugs in Android in just five months.

Google says it has laid out more than $6m in rewards to researchers since launching its bug bounty program in 2010, which helps the search giant secure Chrome, online services such as Google.com and YouTube, and Android.

The bounty schemes are a key ingredient in Google's ability to outbid rivals in the competitive market in acquiring vulnerabilities.

Last June, the company introduced a vulnerability rewards program for Android bugs that affect its Nexus devices. Its arrival was timely, coming just one month before the first Stagefright bugs were discovered, which have since prompted Google, Samsung and LG to commit to regular monthly security updates for flagship Android handsets.

Unlike the way it details rewards for Chrome, Google doesn't publish the value of bounties each month to individual researchers.

However, the company has revealed that in six months it paid out more than $200,000, meaning it accounted for roughly 10 percent of the $2m Google awarded in total last year. In 2014 Google paid $1.5m to researchers.

The largest single payment to a researcher under the Android program so far is $37,500.

Google will pay out up to $8,000 for a bug report and patch for Android, and up to an additional $30,000 for certain remote exploits. Competitors in the vulnerability market, such as controversial exploit trader Zerodium, offer up to $100,000 for a remote jailbreak in Android.

The first Android reward went to researcher Wish Wu in August, the month Google rolled out patches for the first two Stagefright bugs.

"Android was a newcomer to the Security Reward program initiative in 2015 and it made a significant and immediate impact as soon as it joined the program," Eduardo Vela Nava of Google's Security team said.

At last year's rate, Google's annual Android bounty payments alone should soon exceed Microsoft's total payments since 2013, which as of the end of 2015 amounted to $500,000.

More on Google

• Google Docs, Sheets, Slides for Android, iOS: Now you get commenting plus extra file formats
• Google Chrome gets ready to mark all HTTP sites as 'bad'
• Google Android machine learning? Movidius deal aims to give smartphones real-time facial recognition
• Google AlphaGo AI clean sweeps European Go champion
• Google updates Chrome for iOS with improved speed, stability
• This is how Google drones will deliver your packages, and keep your pets safe
• Android security: Samsung plugs six OS and seven Galaxy-specific bugs