Google Raises Stakes 33 To 50 Percent For Android Bug Bounty Rewards Celebrating First Anniversary
At the time the program launched, and leading up to this point, the maximum payout for reports has been $38,000. That kind of figure is not common for the regular submitter to see, though; instead, the payouts might be measured in the thousands, rather than tens of thousands. Nonetheless, those who plan to submit reports for a chance at a nice payout are going to be even happier going forward.
Due to the success of the program, Google has decided to raise payouts 33%. An example given is: if someone submits a report and would have been awarded $3,000, they'd now be awarded $4,000. With this kind of optimism for the program, it's clear that its rollout last summer was long overdue. It also highlights the simple fact that when you get those who thirst for money on the case, you can accomplish a lot.
Since Google launched this bug bounty for Android program, it's paid out $550,000 to 82 individuals, which amounts to $2,200 per reward and $6,700 per researcher. Some 15 of those researchers were paid $10,000 or more, and one, Peter Pi (@heisecode) earned an impressive $75,750 for his 26 vulnerabilities.
Google notes that the increase can go beyond 33% in some instances. A high-quality report with a proof of concept, a CTS test, or a patch, will qualify to earn 50% more than it would right now. Want to find a remote kernel exploit? $30,000 is waiting (and it's a good thing you held off, since it would have been worth $20,000 mere days ago!)
If you're serious about finding Android bugs for cash, you should to review the program rules page which will explain everything about the program you need to know.