How much is the security of your Android device worth? Well, Google spent around $550,000 in bug rewards since it launched the program for Android a year ago. Depending on how you view the platform, that might be more than enough or, in fact, too little. Regardless, Google is even increasing the bounty for “high quality” reports to ensure that Android’s security doesn’t descend into becoming a joke in the mobile industry. Though some might argue that is already the case anyway.
Companies have gotten more enterprising in keeping tabs on bugs and security vulnerabilities. In addition to (and hopefully not in place of) internal squads of testers and bug hunters, some companies have put out bug bounties, more formally “Vulnerability Rewards Program” to give white hat hackers and security researchers some monetary incentive for reporting such problems. Instead of, you know, exploiting them for profit.
Google has had such a VRP in place long ago but only last year added Android to its targets. Since then, Google has doled out $550,000 to 82 individuals who reported such vulnerabilities, basically an average of $6,700 per head. Of those, they have named “@heisecode” as the top grossing reporter, with 26 reports earning him $75,750. Luckily for Google, there were no TrustZone or Verified Boot compromise reported, as those are rewarded with $30,000 for a single report. They happen to also be the most heinous, judging by their bounty.
Android security, however, is often the favorite subject of the platform’s critics, and sometimes its own more technically knowledgeable fans. Last year’s Stagefright fiasco only served to reinforce that image. Google even reported that of the 250 qualifying reports they received, more than a third of those were for the affected Media Server module. That is promised to have been mostly fixed and even hardened for Android N.
And to keep up with the ever growing need for more eyeballs, Google is raising the stakes. A high-quality vulnerability report, complete with proof of concept, will now be paid $4,000 instead of $3,000. A kernel exploit’s bounty goes up from $20,000 to $30,000. And those TrustZone or Verified Boot compromises? Now at $50,000. Good luck bug hunters!