Google on Tuesday announced a new “Android Security Rewards Program,” that will pay folks for reporting bugs. If you’re able to not only report the bug, but can also provide a patch, the amount of that reward increases all the way up to $38,000. “The reward level is based on the bug severity and increases for higher quality reports that include reproduction code, test cases, and patches,” Google explained.
There are three reward amounts for three different severities, including moderate ($500), high ($1,000) and critical ($2,000). Google said that only the first report of a vulnerability is rewarded, and that anyone who publicly discloses a bug probably won’t receive a reward. If you note a severe bug and also provide CTS tests and a patch, you can earn up to $8,000.
The big bucks come with specific attack vectors, Google said. “An exploit or chain or exploits leading to TEE (TrustZone) or Verified Boost compromise from an installed app or with physical access to the device will get up to an additional, $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.” So, if you discover one of those bad boys and can also provide CTS tests and a patch, you should get around $38,000.
Google said all bugs should be reported to AOSP using the Security Bug Report template, and bug hunters must meet Android’s Coding Style Guidelines in order to receive the full reward amount. Google asks that you only target your own device, so don’t go hacking the neighborhood, please.