Since 2010, our security reward programs have helped make Google products safer for everyone. Last year, we paid more than 1.5 million dollars to security researchers that found vulnerabilities in Chrome and other Google Products.
Today, we're expanding our program to include researchers that will find, fix, and prevent vulnerabilities on Android, specifically. Here are some details about the new Android Security Rewards program:
- For vulnerabilities affecting Nexus phones and tablets available for sale on Google Play (currently Nexus 6 and Nexus 9), we will pay for each step required to fix a security bug, including patches and tests. This makes Nexus the first major line of mobile devices to offer an ongoing vulnerability rewards program.
- In addition to rewards for vulnerabilities, our program offers even larger rewards to security researchers that invest in tests and patches that will make the entire ecosystem stronger.
- The largest rewards are available to researchers that demonstrate how to work around Android’s platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users.
Android will continue to participate in Google’s Patch Rewards Program which pays for contributions that improve the security of Android (and other open source projects). We’ve also sponsored mobile pwn2own for the last 2 years, and we plan to continue to support this and other competitions to find vulnerabilities in Android.
As we have often said, open security research is a key strength of the Android platform. The more security research that's focused on Android, the stronger it will become.