In 2014 when Google paid out more than $ 1.5 million to security researchers to find vulnerabilities and security flaws in its Chrome browser,Now Google is offering a new rewards program for cybersecurity researchers called the Android Security Rewards Program.
The following table shows an overview on how rewards are measured and dished out to security researchers:
- Base amounts are the minimum rewards offered for different severities dependent on the bugs discovered.
- Google promises 1.5x the base amount if the bug report also includes a standalone test case (the vulnerable file)
- The base reward is doubled (2x) for a patch that provides a fix for the vulnerability or for a CTS (Compatibility Test Suite) test that detects the issue.
- For an entry that includes a CTS test and a patch together, up to 4x (4 times the base fare) is offered as a reward modifier.
The top end reward for a critical Android bug can go up to $40,000, which would comprise of a chain of attacks which compromises Android TrustZone or Verified Boot from an installed application.
The decision to expand its rewards program from Chrome to its Android platform was inevitable, with Adrian Ludwig, the Google’s lead of Android Security saying, “We see mobile becoming arguably the most important way people connect to the internet,” before adding “our goal is that this could be a full-time research and a very well-paid opportunity,” for security researchers and white-hat hackers to find vulnerabilities and flaws in Android.