Google has just announced Android Security Rewards, which is a program that rewards anyone that finds (and even fixes) vulnerabilities in the latest version of Android for current Nexus devices – that means the Nexus 6 and Nexus 9 at the moment.
Android Security Rewards pays out
The press release states:
We’re launching Android Security Rewards to help reward the contributions of security researchers who invest their time and effort in helping us make Android more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team. The reward level is based on the bug severity and increases for higher quality reports that include reproduction code, test cases, and patches.
Apparently the rewards range from $333 for a test case of a low severity bug up to $8,000 for a “well-written CTS test and patch” for a critical bug.
Google does say that the program applies only to bugs that are not covered by existing reward schemes, including bugs found in AOSP code (Android Open Source Program), OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. If that doesn’t mean much to you, don’t worry as you’re probably not going to collect any of the bounty…
There are however some exceptions listed by Google, the main one of which is that you have to be the first to report the bug and that you have to disclose it to Google first.
For anyone that doesn’t want the money, Google will pay double the amount and donate it to the charity of your choice.
Google has a similar reward program for Chrome bugs and website vulnerabilities, and announced last August that it has paid out more than $2 million in bounties during a three year period.