Google is expanding its bug bounty program to cover Android-powered gadgets, like the Nexus 6 and Nexus 9.
Last year alone, the company paid more than $1.5 million to researchers who found vulnerabilities in Chrome and other products. That is now expanding to mobile devices with the Android Security Rewards program, which will compensate security researchers based on the severity of the flaws they find.
The program will initially focus on the Nexus 6 smartphone and Nexus 9 tablet. According to Android Security Engineer Jon Larimer, Nexus is the first major line of mobile devices to offer an ongoing vulnerability rewards program.
Google will pay for each step required to fix a security bug: $500 for moderate severity; $1,000 for high; and $2,000 for critical. Those who invest in tests and patches will be eligible for an even bigger payday: upwards of $8,000 for a CTS test to detect a critical issue and a patch to fix it.
The largest rewards, however, will be available to researchers who can make a fix without infiltrating Android's built-in security features. Use an exploit leading to kernel compromise or TEE (TrustZone) from an install app and get an additional $10,000-$20,000; going through a remote attack vector can net up to $20,000-$30,000.
Don't start calculating your earnings just yet. The final amount is chosen at the discretion of the reward panel.
"In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward," the Android Security Rewards program rules said.
And remember: Only the first report of a specific vulnerability will be rewarded, and bugs initially disclosed publicly or to a third party do not typically merit any money.
There is also an option for those less interested in getting paid than doing the right thing, to donate a reward to an established charity—in which case Google will double the amount.