Find a Bug in Your Android Phone? You Could Make $50,000

Bug fixers

ScoreCard Research

Jealous of the kid who made $10,000 by finding a major bug for Instagram?

You can still earn some serious cash with your tech skills. Just share them with Google instead of Facebook, which owns Instagram.

In June 2015, Google expanded its Vulnerability Rewards Program (VRP) — which pays ordinary people who find glitches in its products — to include Android security.

Since then, Google has offered bounties of up to $38,000 to people who identified issues that helped protect Android users with Nexus phones and tablets, according to program manager Quan To.

Now the stakes are even higher.

Happy anniversary, Android bug fixers. You’re getting a raise.

Google’s Top Android Fixer Earned $75K in One Year

In Android VRP’s first year, 82 bug finders received more than $550,000, with an average reward of $2,200!

Fifteen researchers received $10,000 or more, either for submitting fixes for multiple bugs or receiving bonuses for particularly tricky pests.

But the top earner in this project was Peter Pi, who received more than $75,000 for submitting 26 vulnerability reports. Pi is a threats analyst at cloud-security firm Trend Micro.

It’s safe to say Pi has the most lucrative side hustle we’ve seen in a while.

More Bug-Squashing Money

“There were no payouts for the top reward for a complete remote exploit chain leading to TrustZone or Verified Boot Compromise,” To noted, adding that the payout for solving that issue has increased from $30,000 to a whopping $50,000.

Meaning: There’s still big money to be made across Google’s Android products.

“We will now pay 33% more for a high-quality vulnerability report with proof of concept,” To wrote. And if you include a potential fix with your vulnerability report, you’ll earn even more — as in, 50% more!

You don’t have to be the local STEM whiz to cash in with Google. A bug report alone could earn you $200.

And if you find something really serious, you may earn even more.

“The final amount is always chosen at the discretion of the reward panel,” Android VRP guidelines specify.

“In particular, we may decide to pay even more for unusually clever or severe vulnerabilities, decide that a single report actually constitutes multiple bugs, or that multiple reports are so closely related that they only warrant a single reward.”

Not in it for the money? Or maybe your employer won’t let you dabble outside your day job. If so, Google will donate your reward to charity at your request — and might even double that donation.

For participation rules, submission guidelines and full payout details, check out Google’s Android VRP rules.

Your Turn: Have you ever submitted a bug to Google? Did you get paid?

Lisa Rowan is a writer, editor and podcaster living in Washington, D.C. She is not your local STEM whiz.