Google's Android security bounty: One year on, 250 bugs, $550k paid out

Google will offer more cash to researchers if they provide higher quality reports and patches for the bugs they find.
Written by Liam Tung, Contributing Writer

Although the Android bug bounty is focused on Nexus devices, Google says it also benefits the wider mobile industry.

Image: Google

Google's Android bug bounty is one year old, and it's racked up a total of 250 bugs for which Google has paid out over $550,000.

That's more than double the total payout figure Google announced in January, six months after launching the program.

To mark the anniversary of the scheme's launch, Google is raising the stakes for security researchers in the name of encouraging higher quality reports and reducing the effort required by Google to prove a bug is valid.

From June 1, Google will pay 33 percent more for a high-quality bug report with a proof of concept. If researchers also provide a patch, they will receive a 50 percent bonus. And Google is raising its payout for a remote or kernel exploit from $20,000 to $30,000.

Researchers who can break the ARM chip's TrustZone or Verified Boot on Android will now get $50,000 instead of $30,000. But as Google notes, it hasn't paid anyone yet for an exploit that compromises either of these security features.

Google kicked off Android Security Rewards last June, a month before the first Stagefright bugs, which triggered Google's monthly Android patches, and put pressure on Android device makers to actually deliver those patches to end-user devices.

The Stagefright library is part of Android's Media Server component, which Google says accounted for more than a third of the 250 bugs that researchers reported over the past year.

Media Server in Android N should be less problematic after having been redesigned to conform to the "principle of least privilege". In Android N, key processes are separated into different sandboxes, with access to resources such as the camera or GPU granted on an as-needs basis.

Google says the $550,000 in bounty payments have gone to 82 researchers. Trend Micro security researcher Peter Pi is its "top researcher" under the program, earning $75,750 for 26 bugs. A handful of these were bugs in Media Server.

Even though the program is focused on Nexus devices, Google highlights it is also benefiting the broader mobile industry. Last month, for example, it fixed a host of bugs in Qualcomm drivers.

Read more on Google and Android security

Editorial standards