06 September 2018
Google shares some of the interesting facts about their Android Security Rewards (ASR) program which has just completed its one year under the VRP (Vulnerability Rewards Program). Google reports that it received over 250 qualifying vulnerability reports from Android researchers during this time period. Furthermore, a total of $550,000 was paid to 82 individuals, which translates into an average of $2,200 per reward and $6,700 per researcher.
Google also enlisted the names of a top researcher who found a total of 26 vulnerability. @heisecode received $75,750 rewards for submitting these vulnerabilities. There were also a few, who received $10,000 for finding around 15 vulnerabilities.
Google said - "no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot compromise.'"
Google also shares that they have also made a few improvements to VRP. Google says that they are continuously working to improve the program. These improvements include paying high to the vulnerability researchers. For instance, the reward for a Critical vulnerability report with a proof of concept increased from $3,000 to $4,000. More improvements include -
- A high-quality vulnerability report with a proof of concept, a CTS Test, or a patch will receive an additional 50% more.
- We’re raising our rewards for a remote or proximal kernel exploit from $20,000 to $30,000.
- A remote exploit chain or exploits leading to TrustZone or Verified Boot compromise increase from $30,000 to $50,000.