Google will give more money for reporting bugs in Android

Google is going to give a bigger reward to developers who report bugs in the Android operating system. For example, someone who shows a ‘proof of concept’ gets more money, and when submitting a patch, even 50 percent more is paid.

The changes to the rewards program are detailed on Google’s blog. According to the internet giant, notifications made since June 1 of this year give greater rewards, provided the conditions are met. For example, when demonstrating an Android bug through a proof of concept, there is a 33 percent greater reward than was previously the case. Anyone who also does a CTS test or proposes a patch can even get up to 50 percent more.

In addition, the rewards for specific vulnerabilities are increased. For example, the payout for a so-called remote or proximal kernel exploit is increased from 20,000 to 30,000 dollars. Anyone who demonstrates a vulnerability that leads to the bypass of TrustZone, hardware-based security for arm chips, can expect a fee of $50,000 instead of $30,000. The same goes for developers who manage to bypass Verified Boot. So far, no developers have identified a bug in either of those two systems.

According to Google, about $550,000 has been distributed to 82 developers since the rewards program started last year. A developer collected 75,750 euros for reporting a total of 26 bugs. Over 250 validated bugs have been reported in the past year.

By increasing the rewards, Google probably wants to improve security in Android. The mobile operating system has come under considerable criticism in recent years for its lack of security and susceptibility to malware. One of the best-known examples is the Stagefright bug, which allowed remote code execution by opening infected media files. Partly for this reason, Google promised to tighten up its security policy, including by releasing monthly patches.