Google Making Hackers Richer – Paid Researchers in 6 Figures for a Pixel Bug

The bug bounty industry is going stronger than ever. From the companies themselves to bug aggregators like Zerodium, hackers are being paid in millions for finding vulnerabilities. It appears that for one bug alone, Google paid over $112,000 to a security researcher. The company released its “Vulnerability Reward Program: 2017 Year in Review” report yesterday, focusing on all the achievements by security researchers.

The tech giant awarded bug hunters more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. In total, for Android, Chrome and other Google products, the company spent nearly 3 million dollars in paying researchers for their bug reports.

Related iPhone Users Are Suing Google for Clandestine Tracking – Demand $4.29 Billion in Damages

The company highlighted a few researchers in its report who received a whopping bug bounty for their reported bugs. “In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc,” Google wrote (emphasis is ours).

“As part of the Android Security Rewards Program he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further.”

While the largest award went to Gong, another security researcher named gzobqq received $100,000 for reporting security vulnerabilities in the guest mode of Chrome OS.

Related Latest Apparent Google Pixel 3 Design Drawing From Android P Quells Speculation For A Display Notch On Device

Google has also announced increasing rewards for a few categories. The company said rewards for remote code executions will go up from $1,000 to $5,000; for a remote exploit chain (or exploit leading to TrustZone or Verified Boot compromise) from $50,000 to $200,000, and for a remote kernel exploit the rewards will now go up from $30,000 to $150,000.

“We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components,” Google further added. “We’ll award $1,000 for these bugs.”

Tweet Share


Web Should Be Considered Safe by Default - Google to Stop Marking HTTPS Sites as "Secure"

Google Goes Through First Known Mass Resignations as Employees Quit Over Controversial Pentagon Contract

Alphabet Inc Releases Q1 2018 Earnings: Revenue And EPS Beat Analyst Estimates, TAC Continues To Spiral Up Over-the-Year But Declines Over-the-Quarter

15-Year-Old British Hacker Who "Cyber-Terrorized" CIA & FBI Chiefs Gets Two Years in Prison 

Chrome 66 Is Out: Autoplay Content Restrictions, Site Isolation (Spectre), Password Export, and Fixes for 62 Security Issues