Google’s Android Security Rewards (ASR) program has awarded $3 million USD (roughly $3.87 million CAD) to researchers for reporting vulnerabilities.
That works out to about $1 million USD per year in the three years since the ASR’s inception.
According to a September 20th, 2018 Android Developers blog post, the average pay per researcher jumped 23 percent. Rewards average $2,600 USD and researchers pulled in an average of $12,500 USD in awards.
An individual named Guang Gong received the highest payout to date. Gong was awarded $105,000 for a remote exploit chain he submitted.
In the ASR’s third year of operation, it received over 470 qualifying vulnerabilities from researchers. Despite the number of vulnerabilities, there were no payouts for the highest reward tier.
That tier rewards the discovery of a complete remote exploit chain that leads to TrustZone or Verified Boot compromise.
Additionally, researchers have earned a combined $100,000 for 30 vulnerabilities reported to the Google Play Security Rewards program.
Google works with manufacturers to ensure they fix vulnerabilities through monthly security patches.
Overall, Google’s system is a reliable way to motivate researchers to find exploits and security flaws. Additionally, it helps Google fix issues for regular users.