Google Making Hackers Richer – Paid Researchers in 6 Figures for a Pixel Bug


The bug bounty industry is going stronger than ever. From the companies themselves to bug aggregators like Zerodium, hackers are being paid in millions for finding vulnerabilities. It appears that for one bug alone, Google paid over $112,000 to a security researcher. The company released its "Vulnerability Reward Program: 2017 Year in Review" report yesterday, focusing on all the achievements by security researchers.

The tech giant awarded bug hunters more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. In total, for Android, Chrome and other Google products, the company spent nearly 3 million dollars in paying researchers for their bug reports.

Google Looks to File for Bankruptcy in Russia

The company highlighted a few researchers in its report who received a whopping bug bounty for their reported bugs. "In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc," Google wrote (emphasis is ours).

"As part of the Android Security Rewards Program he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further."

While the largest award went to Gong, another security researcher named gzobqq received $100,000 for reporting security vulnerabilities in the guest mode of Chrome OS.

Google has also announced increasing rewards for a few categories. The company said rewards for remote code executions will go up from $1,000 to $5,000; for a remote exploit chain (or exploit leading to TrustZone or Verified Boot compromise) from $50,000 to $200,000, and for a remote kernel exploit the rewards will now go up from $30,000 to $150,000.

"We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components," Google further added. "We’ll award $1,000 for these bugs."