Google’s Android Security Rewards program has now paid out $3 million in the three years it has existed, but while the total figure has doubled in the past year, growth in average rewards has halved.
Google says its Android bug bounty payouts have now “surpassed $3 million” for bugs that researchers have found in Android since launching the program in 2015. This, Google says, amounts to about $1m a year paid to people not on Google’s payroll who toil away on its mobile operating system's security flaws.
A pool of $1m a year is, depending on local wages and the number of entrants, a big pot for those with the skills to find bugs worthy of a share of it.
But Google’s latest figures suggest that competition for its Android bug bounty rewards could be getting harder and with that the chances of a big windfall may be declining fast.
Last year Google reported that the average pay per researcher jumped by 52.3 percent over the prior year, whereas this year it rose by 23 percent.
Today, average rewards under the Android Security Rewards program stand at $2,600 per reward and $12,500 per researcher.
Last year, it said it had “paid 115 individuals with an average of $2,150 per reward and $10,209 per researcher”, which is approximately the 23 percent increase in average rewards it reported today.
But Google appears to be fudging the numbers too.
Google said it had received 470 qualifying vulnerability reports from bug hunters so far in 2018 as of September 20, 2018, compared to 450 qualifying vulnerability reports it reported in 2017, which was posted on June 1.
In these extra four months in 2017 Google could have paid several hundred thousand dollars extra to a relatively small pool of researchers. So is Google's Android bug bounty growing or shrinking?
Last year Google said the "total Android Security Rewards payout doubled to $1.1 million dollars”, meaning in the first year the total was $550,000. It added that “since it launched, we've rewarded researchers over $1.5 million dollars.”
Based on Google's claim that total Android bug bounty payouts have topped $3 million now, the total has doubled and that it has paid out $1.5 million in the past year.. or year-and-a-half.
Google doesn’t claim that this year’s that total payouts have doubled as it did last year.
The Android bug bounty has not dried up, but the numbers suggest that life for bug hunters who choose to rely to Google's Android bug bounty for a living could be getting tougher.