Google started its Android Security Rewards program in June 2015, awarding money to researchers finding vulnerabilities in Android as well as Nexus phones and tablets. One year later, the company posted the results of the program on its blog, and it can be considered a success, both for Google and the researchers involved. So far, Google has paid more than 550,000 to 82 individuals who found more than 250 qualifying vulnerability reports, Google's Android Security Program Manager Quan To wrote. The top researcher, identified by Google as @heisecode, is actually making a decent living finding Android bugs; he won a total of 75,750 for 26 vulnerability reports. He'll get an even bigger enticement to continue searching for bugs in Google's mobile OS, as Google is increasing the awards for reports filled after June 1, 2016.
Google has rolled out patches for an Android wireless network vulnerability. The search giant released the fix for the so-called KRACK vulnerability, which if exploited could have let a sophisticated hacker decrypt Wi-Fi traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from an affected device. Mathy Vanhoef, a computer security academic, who found the flaw, singled out Android, calling the security issue "exceptionally devastating" for devices running Android 6.0 and later. Several other security fixes were rolled into the update package, including 22 high-rated bugs and 10 critical bugs. Apple released its security fix for KRACK last week.
Google announced its monthly security patches for Android this week, in which it addressed a number of critical vulnerabilities--including six related to the Android Mediaserver component that could be used to remotely execute code. In addition to the Mediaserver fixes, Google also patched four vulnerabilities related to Qualcomm components found in Android devices, including Google's Nexus 6P, Pixel XL and Nexus 9 devices. According to Google, the most severe of the issues patched was a vulnerability in its Mediaserver component "that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files." Mediaserver is a program built into the Android system that is designed to scan all available media files on the device and index them, making it easier applications on the device to quickly access the files. It has also been a bit of a bane for Android users, as fingers are often pointed at the service for eating up battery and occupying too much of the device's available memory resources while it performs its task.
The top bug hunter in the past year received 75,750 for 26 vulnerability reports and 15 individuals received 10,000 or more. The average was 2,200 per reward and 6,700 per researcher. "High-quality" reports -- that is, those that show a proof of concept and come with a proposed patch -- will earn 50 percent more than regular bug submissions. Finding and squashing these bugs could greatly improve Android's security, but participants are also encouraged to report problems outside the OS. Google said that more than a quarter of the issues were reported in code developed and used outside of the Android Open Source Project (AOSP).