Android Security Rewards Program of Google has now changed. Reward for finding a bug in the Android operating system has now increased up to $200,000.
The day after the news released of an Android malware Judy, Google has announced the new recognition of contributions. This is an initiative from Google to make Android more secure.
The reward includes monetary reward as well as public recognition for the weaknesses revealed to the Android Security Team. The amount of the reward is based on the bug severity and completeness of the report which includes reproduction code, test cases etc.
As public recognition, you can find the names of all the people and parties who helped to improve the Android security till now here. https://source.android.com/security/overview/acknowledgements
This program covers in the latest Android versions for Pixel phones and tablets as follows.
- Pixel and Pixel XL
- Pixel C
Only the first report of a given issue that Google is unaware of is eligible for reward. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
Reward Amount based on the severity of the bugs.
|Severity||Complete Report* + PoC||Payment range (if report includes an exploit leading to Kernel compromise)**||Payment range (if report includes an exploit leading to TEE compromise)**|
|Critical||Required||Up to $150,000||Up to $200,000|
|High||Required||Up to $75,000||Up to $100,000|
|Moderate||Required||Up to $20,000||Up to $35,000|
|Low||Required||Up to $330||Up to $330|
* Bug reports that are incomplete or do not include a proof of concept will receive up to $200 depending on severity.
** Subject to the discretion of the rewards committee
For details please see https://www.google.com/about/appsecurity/android-rewards/