Android bug bounty tops $3m in third year, but pay flattens out

Credit: ID 74869380 © Valeriy Kachaev | Dreamstime.com

Google’s Android Security Rewards program has now paid out $3 million in the three years it has existed, but while the total figure has doubled in the past year, growth in average rewards has halved. 

Google says its Android bug bounty payouts have now “surpassed $3 million” for bugs that researchers have found in Android since launching the program in 2015. This, Google says, amounts to about $1m a year paid to people not on Google’s payroll who toil away on its mobile operating system's security flaws. 

A pool of $1m a year is, depending on local wages and the number of entrants, a big pot for those with the skills to find bugs worthy of a share of it. 

But Google’s latest figures suggest that competition for its Android bug bounty rewards could be getting harder and with that the chances of a big windfall may be declining fast.

Last year Google reported that the average pay per researcher jumped by 52.3 percent over the prior year, whereas this year it rose by 23 percent. 

Today, average rewards under the Android Security Rewards program stand at $2,600 per reward and $12,500 per researcher. 

Last year, it said it had “paid 115 individuals with an average of $2,150 per reward and $10,209 per researcher”, which is approximately the 23 percent increase in average rewards it reported today.  

But Google appears to be fudging the numbers too. 

Google said it had received 470 qualifying vulnerability reports from bug hunters so far in 2018 as of September 20, 2018, compared to 450 qualifying vulnerability reports it reported in 2017, which was posted on June 1.

In these extra four months in 2017 Google could have paid several hundred thousand dollars extra to a relatively small pool of researchers. So is Google's Android bug bounty growing or shrinking? 

Last year Google said the "total Android Security Rewards payout doubled to $1.1 million dollars”, meaning in the first year the total was $550,000. It added that “since it launched, we've rewarded researchers over $1.5 million dollars.”

Based on Google's claim that total Android bug bounty payouts have topped $3 million now, the total has doubled and that it has paid out $1.5 million in the past year.. or year-and-a-half. 

Google doesn’t claim that this year’s that total payouts have doubled as it did last year.

Read more: Google’s own Titan 2FA security keys arrive for $50 a pair

The Android bug bounty has not dried up, but the numbers suggest that life for bug hunters who choose to rely to Google's Android bug bounty for a living could be getting tougher. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GoogleAndroidBug Bounty Program

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts

Market Place