Android bugs made up 10 percent of Google's $2m bounty payouts - in just five months

Android is shaping up to become one of the more lucrative sources of payments for security researchers in Google's bounty scheme.
Written by Liam Tung, Contributing Writer

Google's largest single payment to a security research under the Android program so far is $37,500.

Image: CNET

Google paid out over $2m to security researchers last year for reporting flaws in Google products, of which $200,000 went on bugs in Android in just five months.

Google says it has laid out more than $6m in rewards to researchers since launching its bug bounty program in 2010, which helps the search giant secure Chrome, online services such as Google.com and YouTube, and Android.

The bounty schemes are a key ingredient in Google's ability to outbid rivals in the competitive market in acquiring vulnerabilities.

Last June, the company introduced a vulnerability rewards program for Android bugs that affect its Nexus devices. Its arrival was timely, coming just one month before the first Stagefright bugs were discovered, which have since prompted Google, Samsung and LG to commit to regular monthly security updates for flagship Android handsets.

Unlike the way it details rewards for Chrome, Google doesn't publish the value of bounties each month to individual researchers.

However, the company has revealed that in six months it paid out more than $200,000, meaning it accounted for roughly 10 percent of the $2m Google awarded in total last year. In 2014 Google paid $1.5m to researchers.

The largest single payment to a researcher under the Android program so far is $37,500.

Google will pay out up to $8,000 for a bug report and patch for Android, and up to an additional $30,000 for certain remote exploits. Competitors in the vulnerability market, such as controversial exploit trader Zerodium, offer up to $100,000 for a remote jailbreak in Android.

The first Android reward went to researcher Wish Wu in August, the month Google rolled out patches for the first two Stagefright bugs.

"Android was a newcomer to the Security Reward program initiative in 2015 and it made a significant and immediate impact as soon as it joined the program," Eduardo Vela Nava of Google's Security team said.

At last year's rate, Google's annual Android bounty payments alone should soon exceed Microsoft's total payments since 2013, which as of the end of 2015 amounted to $500,000.

More on Google

Editorial standards