Google has paid researchers more then $1.5 million over the years for discovering bugs in Chrome and other services. Finding vulnerabilities presents the best opportunity for fixing them and protecting users. Google is now hoping to improve the security of Android. It recently expanded its bug bounty program to cover the Nexus 6 smartphone and Nexus 9 tablet.
The N6 and N9 run the newest stock version of Android. At the moment, that's 5.1.1 Lollipop. Few other phones run this clean version of Android, which is why Google is targeting these two devices rather than all Android devices at large (which number in the thousands). Find problems in the base code and the fixes can likely permeate outward to others.
Google said it will pay for each bug found, and it will pay extra for each step shown to repair the bug provided by the researcher. The base reward is $500 for locating a moderately bad bug. A highly severe bug merits $1,000, and a critical bug merits $2,000. Want more than that? Come up with a way to fix the bug.
For example, researchers who find a bug and offer a test case will see their reward jump 50% to $750, $1,500 and $3,000, respectively. Find a bug, offer a test case and add a CTS, and the rewards climb to $1,000, $2,000 and $4,000. If you want to make top dollar, toss in a patch for the bug and Google will pay $2,000, $4,000 or $8,000, respectively, for moderate, high and critical bugs.
The CTS is the Android Compatibility Test Suite. It is updated constantly. All devices have to pass this test in order to be sold in the Google Play Store. For example, it ensures that the platform APIs are functioning correctly and that all apps follow Google's basic user interface guidelines. This is why Google is offering so much more money to those researchers who show the bug impacting the CTS.
Google will shell out big bucks if you can crack open the inner workings of the platform itself. The largest rewards are available to researchers who demonstrate how to work around Android’s platform security features, like ASLR, NX and the sandboxing that is designed to prevent exploitation and protect users. If you can figure out how to break into Verified Boot or TrustZone, Google will pay out $30,000.
"Android will continue to participate in Google’s Patch Rewards Program, which pays for contributions that improve the security of Android and other open source projects," said Google. "As we have often said, open security research is a key strength of the Android platform. The more security research that's focused on Android, the stronger it will become."