Posted by Jason Woloz and Mayank Jain, Android Security & Privacy Team
Our Android and Play security reward programs help us work with top researchers from around the world to improve Android ecosystem security every day. Thank you to all the amazing researchers who submitted vulnerability reports.
Android Security Rewards

In the ASR program's third year, we received over 470 qualifying vulnerability reports from researchers and the average pay per researcher jumped by 23%. To date, the ASR program has rewarded researchers with over $3M, paying out roughly $1M per year.
Here are some of the highlights from the Android Security Rewards program's third year:

  • There were no payouts for our highest possible reward: a complete remote exploit chain leading to TrustZone or Verified Boot compromise.
  • 99 individuals contributed one or more fixes.
  • The ASR program's reward averages were $2,600 per reward and $12,500 per researcher.
  • Guang Gong received our highest reward amount to date: $105,000 for his submission of a remote exploit chain.

As part of our ongoing commitment to security we regularly update our programs and policies based on ecosystem feedback. We also updated our severity guidelines for evaluating the impact of reported security vulnerabilities against the Android platform.
Google Play Security Rewards

In October 2017, we rolled out the Google Play Security Reward Program to encourage security research into popular Android apps available on Google Play. So far, researchers have reported over 30 vulnerabilities through the program, earning a combined bounty amount of over $100K.
If undetected, these vulnerabilities could have potentially led to elevation of privilege, access to sensitive data and remote code execution on devices.
Keeping devices secure

In addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program. We collaborate with manufacturers to ensure that these issues are fixed on their devices through monthly security updates. Over 250 device models have a majority of their deployed devices running a security update from the last 90 days. This table shows the models with a majority of deployed devices running a security update from the last three months:
[TR]
[TD]Manufacturer [/TD]
[TD]Device [/TD]
[/TR]
[TR]
[TD]ANS [/TD]
[TD]L50 [/TD]
[/TR]
[TR]
[TD]Asus [/TD]
[TD]ZenFone 5Z (ZS620KL/ZS621KL), ZenFone Max Plus M1 (ZB570TL), ZenFone 4 Pro (ZS551KL), ZenFone 5 (ZE620KL), ZenFone Max M1 (ZB555KL), ZenFone 4 (ZE554KL), ZenFone 4 Selfie Pro (ZD552KL), ZenFone 3 (ZE552KL), ZenFone 3 Zoom (ZE553KL), ZenFone 3 (ZE520KL), ZenFone 3 Deluxe (ZS570KL), ZenFone 4 Selfie (ZD553KL), ZenFone Live L1 (ZA550KL), ZenFone 5 Lite (ZC600KL), ZenFone 3s Max (ZC521TL) [/TD]
[/TR]
[TR]
[TD]BlackBerry [/TD]
[TD]BlackBerry MOTION, BlackBerry KEY2 [/TD]
[/TR]
[TR]
[TD]Blu [/TD]
[TD]Grand XL LTE, Vivo ONE, R2_3G, Grand_M2, BLU STUDIO J8 LTE [/TD]
[/TR]
[TR]
[TD]bq [/TD]
[TD]Aquaris V Plus, Aquaris V, Aquaris U2 Lite, Aquaris U2, Aquaris X, Aquaris X2, Aquaris X Pro, Aquaris U Plus, Aquaris X5 Plus, Aquaris U lite, Aquaris U [/TD]
[/TR]
[TR]
[TD]Docomo [/TD]
[TD]F-04K, F-05J, F-03H [/TD]
[/TR]
[TR]
[TD]Essential Products [/TD]
[TD]PH-1 [/TD]
[/TR]
[TR]
[TD]Fujitsu [/TD]
[TD]F-01K [/TD]
[/TR]
[TR]
[TD]General Mobile [/TD]
[TD]GM8, GM8 Go [/TD]
[/TR]
[TR]
[TD]Google [/TD]
[TD]Pixel 2 XL, Pixel 2, Pixel XL, Pixel [/TD]
[/TR]
[TR]
[TD]HTC [/TD]
[TD]U12+, HTC U11+ [/TD]
[/TR]
[TD]Huawei [/TD]
Honor Note10, nova 3, nova 3i, Huawei Nova 3I,

More...