Google will pay up to $30,000 to anyone who can help squash Android vulnerabilities



Security is an important talking point for mobile operating systems in 2015, but you have to do more than just talk. Google is already pretty stout when it comes to security, but the company knows it’s impossible to catch every vulnerability alone.

That’s why they’re extending their Security Rewards program to Android. The premise is simple: you help Google find a bug, they’ll pay you. The more you help and the more severe the bug, the more you get.

Simply disclosing a bug or vulnerability can net you anywhere between $500 and $2,000, while providing test cases and fixes can get upwards of $10,000. And if you can demonstrate a high severity hole that is vulnerable to attacks by any third party application installed on the device, Google will go as high as $20,000 to $30,000.

There are a couple of caveats to note. For starters, rewards are only eligible for vulnerabilities that affect AOSP, OEM and kernel code in the Nexus 9 and Nexus 6. Google will also make exceptions for chipset code if the vulnerability affects Android. There are also some rules to adhere to:

  • Only the first report of a specific vulnerability will be rewarded.
  • Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward.

And some cases that won’t qualify as a valid vulnerability:

  • Issues that require complex user interaction. For example, if the vulnerability requires installing an app and then waiting for a user to make an unlikely configuration change.
  • Phishing attacks that involve tricking the user into entering credentials.
  • Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
  • Issues that only affect userdebug builds or require debugging access (ADB) to the device.
  • Bugs that simply cause an app to crash.

You can read more details over at the site’s FAQ right here. If you’re a developer or security researcher with a knack for finding and squashing these kinds of bugs and vulnerabilities then be sure to make yourself knowledgeable on everything about the program, and fingers crossed that you can help shore up Android security while making some nice cash in the process.

[via Google]

Quentyn Kennemer
The "Google Phone" sounded too awesome to pass up, so I bought a G1. The rest is history. And yes, I know my name isn't Wilson.

AT&T’s Nexus 6 now getting Android 5.1.1

Previous article

The Saygus V2 gets another massive delay to Fall 2015 (and a sketchy IndieGoGo campaign, to boot)

Next article

You may also like


  1. Is this more to increase Android security, or just to get people to stop sharing exploits publicly?

    And yes, I’m partially being rhetorical.

  2. Well then… put up or shut up! :D

  3. How about 30,000 to squash some nasty lollipop bugs?

Leave a reply

Your email address will not be published. Required fields are marked *

More in News