Google has announced that during the last year it has paid $3 million in rewards through its Android and Google Play Security programs to security researchers who discovered vulnerabilities.
Android security rewards RSS
A Chinese security researcher submitted two bugs to Google back in August 2017 that, combined, could allow the remote injection of arbitrary code into Android devices. Both bugs are already patched.
