Google today launched an Android Security Rewards program to help reward and encourage the community and security researchers to find and disclose vulnerabilities in Android.
As a token of gratitude for the time and money invested by them to find any security vulnerability in Android, Google will be rewarding them with anywhere between $500 to $2,000.
The reward amount will vary depending on the severity of the vulnerability, with researchers getting $500 for moderate vulnerabilities, and up to $1,000 and $2,000 for high and critical vulnerabilities, respectively. These are the base rewards though, and Google will gladly give 1.5x of the reward amount if the report from security researchers contains standalone reproduction code, or up to 2x if there is a patch to fix the issue as well. There is also a 4x reward modifier for cases where researchers are able to submit both CTS test and a patch to fix the vulnerability.
The program is limited to security vulnerabilities that affects the AOSP code, OEM code, TrustZone OS and its modules, and the kernel. Vulnerabilities that do not qualify for an award include issues that require complex user interaction, phishing attacks, tap-jacking and more.
The program is only valid for the latest version of Android that is available on the Nexus phones and tablets, which are on sale through the Google Store in the United States. This means that for now, the rewards program is only valid for the Nexus 6 and the Nexus 9.
Security researchers and enthusiasts can find more details about the Android Security Rewards program here.