In an attempt to entice more security researchers to find and report Android exploits, Google has raised its top bug bounty payouts to $200,000. Previously, the most a researcher could get for reporting an Android bug was $50,000.
To get that top payout, developers will have to demonstrate a remote exploit of vulnerabilities in Google’s TrustZone and Verified Boot technologies. And if researchers fund a bug in the Android kernel that they can exploit remotely, they’ll get up to $150,000 (increased from $30,000).
Over the past two years, no security researcher has successfully demonstrated exploits against TrustZone or Verified Boot. However, 31 people have received payments of $10,000 or more for participating in the Android Security Rewards Program.