Google today announced the launch of a security rewards program for Android at Black Hat’s Mobile Security Summit in London. The Android program will only cover vulnerabilities that affect Nexus phone and tablets available for sale in the Google Play Store, though. Right now, that’s the Nexus 6 phone and Nexus 9 tablet.
Base rewards start at $500 for reporting moderately severe vulnerabilities and go up to $8,000 for researchers who report a critical bug, provide a test case and submit a patch. On top of that, Google will offer up to an additional $30,000 for exploits that can compromise TrustZone or Verified Boot (and slightly smaller rewards up to $10,000 and $20,000 for attacks from installed apps and remote or proximal attacks).
Google believes the whole Android ecosystem will benefit from this vulnerability research, though. Given that the Nexus devices are the only ones Google has full control over — and that they run the company’s stock version of Android — it makes sense that the company would restrict this program to vulnerabilities that can be reproduced on these devices.
The new program is in addition to Google’s existing Patch Reward Program, which also includes the open-source foundations of Android. Bugs that qualify for this new program include vulnerabilities in the Android open source code, OEM libraries and drivers, the kernel and ARM TrustZone OS and modules.
Google says it has now paid out more than $4 million since the launch of its first bug bounty program in 2010. In 2014 alone, it paid out a total $1.5 million to more than 200 researchers.