Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today expanded its Android Security Rewards program. Most notably, the company is introducing a top prize of $1 million. The previous top prize was $200,000. That’s technically a quintupling, although the maximum reward could be even higher. Google is launching a 50% bonus for exploits found on specific developer preview versions of Android, meaning the top reward could net you $1.5 million.
Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu. Google is wise to proactively secure the world’s largest platform — Android passed 2.5 billion active devices in May.
Top prize and top reward
If you’re getting a feeling of déjà vu, that’s because Google drastically increased its Android rewards two years ago. In June 2017, Google quadrupled the top reward for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise from $50,000 to $200,000. The company did so because “no researcher has claimed the top reward.”
That seems to be the case once again, though this time Google has created a completely new reward. The $1 million top prize is for “a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.” The Titan M chip, built into Pixel devices, secures the bootloader, lock screen, transactions in third-party apps, and more.
New reward or not, the maximum amount a security researcher can get for an Android exploit has exploded. Google also added other categories of exploits to the rewards program today, including those for data exfiltration and lockscreen bypass. These rewards go up to $500,000, depending on the exploit category.
The highest Android reward Google has paid out to date was to Guang Gong of Qihoo 360. That was for the first reported 1-click remote code execution exploit chain on the Pixel 3. Gong was awarded $161,337 from the Android Security Rewards program and $40,000 from the Chrome Rewards program for a total of $201,337. The combined reward is the highest for a single exploit chain across all of Google’s bug bounty programs.
Let’s put the $161,337 number into perspective. In 2019, Google has so far paid out over $1.5 million in Android bug bounties. More than 100 researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). The average paid per researcher was over $15,000 (20% increase from last year). If someone snags that $1.5 million, the average will skyrocket. But based on the Android program’s history, we’re not holding our breath.