Google is now offering a whopping $450,000 for uncovering critical vulnerabilities in certain high-profile Android apps.

This massive increase focuses on remote code execution (RCE) bugs. That means if you can find a way for someone to remotely hijack an app like Google Play Services or Gmail, you could be in for a serious payday.

Google now also wants security researchers to focus on flaws that could lead to sensitive data theft and will now pay them $75,000 for exploits that don’t require user interaction and can be used remotely.

For exceptional quality reports that include a proposed patch or effective mitigation and a root cause analysis to help find other issue variants, the company will pay 1.5x the total reward amount, allowing researchers to earn up to $450,000 for an RCE exploit in a Tier 1 Android app.

However, they’ll get half the reward for low-quality bug reports that don’t provide:

Buy Me A Coffee
  • Accurate and detailed descriptions,
  • A proof-of-concept exploit,
  • Easy steps to reproduce the vulnerability reliably,
  • A clear demonstration of the bug’s impact.
CategoryRemote/No User InteractionVia link clickVia malicious app /with non-default configAttacker on same network
Code Execution$300,000$150,000$15,000$9,000
Data Theft$75,000$37,500$9,000$6,000
Other Vulns$24,000$9,000$4,500$2,400

“Some additional, smaller changes were also made to our rules. For example, the 2x modifier for SDKs is now baked into the regular rewards. This should increase overall rewards, and will make panel decisions easier,” Google information security engineer Kristoffer Blasiak said.