Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Increases Android Bug Bounty Payouts

After paying out more than half a million dollars, Google has decided to increase the rewards offered to researchers who report vulnerabilities through the company’s Android bug bounty program.

After paying out more than half a million dollars, Google has decided to increase the rewards offered to researchers who report vulnerabilities through the company’s Android bug bounty program.

The Android Security Rewards program was launched exactly one year ago, with up to $38,000 offered per submission. Over the past year, 82 researchers reported more than 250 flaws for which they received a total of over $550,000 from Google.

The top researcher, Peter Pi (@heisecode) of Trend Micro, received over $75,000 for 26 vulnerability reports. While more than a dozen experts received $10,000 or more, no one managed to earn the top reward, which Google is offering for a complete remote exploit chain that leads to a compromise of TrustZone or Verified Boot.

Google announced on Thursday that it’s making some improvements to its Android Security Rewards program. The search giant says it has increased rewards by 33 percent for high quality vulnerability reports starting with June 1. For instance, researchers can now earn $4,000 instead of $3,000 for a critical vulnerability report that is accompanied by a proof-of-concept (PoC).

The payout has increased by 50 percent for high quality vulnerability reports that include not only a PoC, but also a CTS test or a patch. Rewards for remote or proximal kernel exploits have been increased from $20,000 to $30,000.

The top reward, the one offered for a remote exploit chain that leads to a TrustZone or Verified Boot compromise, has increased from $30,000 to $50,000.

“While the program is focused on Nexus devices and has a primary goal of improving Android security, more than a quarter of the issues were reported in code that is developed and used outside of the Android Open Source Project. Fixing these kernel and device driver bugs helps improve security of the broader mobile industry (and even some non-mobile platforms),” explained Quan To, security program manager at Google.

Since many of the reported Android vulnerabilities affected Mediaserver’s libstagefright library, Google says it has hardened the component in Android N, the next major version of the mobile operating system.

Advertisement. Scroll to continue reading.

Related Reading: Google Pays $25,000 Reward for Critical Chrome Flaw

Related Reading: Google Offers $100,000 for Chromebook Hack

Related Reading: Google Patches Serious Account Recovery Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.