It’s been a year since Google expanded its bug bounty program to cover vulnerabilities found in Android devices, and the company is celebrating by sharing some of the results. Over the past twelve months Google has paid out more than $550,000 to 82 people for their discoveries, with an average of $2,200 per reward and $6,700 per researcher. The year's top performer was Peter Pi (@heisecode) who earned $75,750 for 26 reports.
Google also paid $10,000 or more to 15 researchers, but no one managed to snag the top prize for a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
Android's Media Server component accounted for more than a third of the 250 bugs reported over the past year. This should prove less problematic with Android N which has been redesigned so key processes are separated into different sandboxes, with access to resources such as the camera or GPU granted as needed only. Google also noted that while the program is focused on Nexus devices, more than a quarter of the reported issues affect code developed and used outside of the Android Open Source Project.
Going forward Google said it will offer more money for reports filed after June 1st, 2016. Specifically, a high-quality bug report with a proof of concept will net security researchers 33% more, while also providing a patch will result in a 50% bump in the payout. In addition Google is also raising the stakes for a couple of specific exploits. For example, the rewards for a remote or proximal kernel exploit goes from $20,000 to $30,000, and compromising the TrustZone or Verified Boot will bring highest reward up to $50,000 instead of $30,000.