At the moment, the bug bounty, called the Android Security Rewards Program, is valid only for vulnerabilities detected on the Nexus 6 and the Nexus 9. This new bug bounty will run in parallel to Google's existing Patch Reward Program, one that rewards coders for finding bugs in various open-source projects.
Aside from acknowledging their contribution towards making Android a safer operating system, Google will also pay coders a certain sum of money, depending on the severity of the bugs, and whether the coder will also be able to provide test cases and patches for the vulnerability that has been discovered.
The rewards range from $333 for detecting a low-level vulnerability and providing the associated test case, on to $500 for the simple act of detecting a moderate-level vulnerability, and up to $8,000 for detecting a high-level security bug, providing the test case, and patching the vulnerability. On top of that, coders can receive up to $30,000 more for demonstrating exploits that lead to TEE (TrustZone) or Verified Boot compromise through a remote or proximal attack vector.
For security experts who don't need Google's money, the company is also offering to donate twice the amount that coders qualify for to an established charity.
Bug bounties are certainly not a new idea, as many large companies rely on third-party coders to find and possibly patch vulnerabilities. This doesn't mean that Google's intention of patching up Android vulnerabilities is any less important, especially at the rate vulnerabilities are discovered. Do you guys think that this could lead to safer Android versions on future Nexus smartphones and tablets?