Google launched a reward program in 2015 called “Android Security Rewards Program” to provide a bounty for those who find and submits Android bugs. The highest reward that is available for collection is a whopping $200,000. However, no one has yet received this highest amount of reward.
According to Google’s rules, the Android Security Reward will be issued to people who can find and submit TrustZone and launch verification vulnerability attacks on Android devices. In 2015, Google provided a less generous reward for the discoverers of this vulnerability. However, due to the lack of related vulnerabilities, Google raised the reward to $50,000 in June 2016 and then increased to $200,000 in June 2017.
Despite this, researchers have also achieved good results in finding other security vulnerabilities. Google officially posted a blog post on the 20th that it has already paid more than $3 million in rewards through this rewards program. According to Jason Woloz and Mayank Jain of the Android Security and Privacy team, 99 different bug hunters submitted 470 vulnerability reports in the past year.
Google’s highest award this year was paid to Guang Gong, a security researcher at the Qihoo 360 Alpha team in China. He found two vulnerabilities for the Pixel device, CVE-2017-5116, and CVE-2017-14904, which received a $105,000 reward.