Google Making Hackers Richer – Paid Researchers in 6 Figures for a Pixel Bug


The bug bounty industry is going stronger than ever. From the companies themselves to bug aggregators like Zerodium, hackers are being paid in millions for finding vulnerabilities. It appears that for one bug alone, Google paid over $112,000 to a security researcher. The company released its “Vulnerability Reward Program: 2017 Year in Review” report yesterday, focusing on all the achievements by security researchers.

The tech giant awarded bug hunters more than 1 million dollars for vulnerabilities they found and reported in Google products, and a similar amount for Android as well. In total, for Android, Chrome and other Google products, the company spent nearly 3 million dollars in paying researchers for their bug reports.

RelatedGoogle Using Android Phones’ Location Services to Track 911 Callers More Accurately in Emergencies

The company highlighted a few researchers in its report who received a whopping bug bounty for their reported bugs. “In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc,” Google wrote (emphasis is ours).

“As part of the Android Security Rewards Program he received the largest reward of the year: $112,500. The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition, and Guang’s report helped strengthen its protections even further.”

While the largest award went to Gong, another security researcher named gzobqq received $100,000 for reporting security vulnerabilities in the guest mode of Chrome OS.

Google has also announced increasing rewards for a few categories. The company said rewards for remote code executions will go up from $1,000 to $5,000; for a remote exploit chain (or exploit leading to TrustZone or Verified Boot compromise) from $50,000 to $200,000, and for a remote kernel exploit the rewards will now go up from $30,000 to $150,000.

RelatedA Huge HDR Plus Image Dataset Released for Researchers by Google

“We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components,” Google further added. “We’ll award $1,000 for these bugs.”

Tweet Share


Alphabet Inc Releases Q4 2017 Results; Traffic Acquisition Costs Increase 33%, Net Income Shows Loss Due To One-Time $10 Billion Tax Charge

Happy Day for Script Kiddies - This New Mass-Exploit Tool Automatically Finds and Hacks Vulnerable Devices

Cybercrime Doesn't Have to Be a Fact of Life - Google's Parent Company Introduces New Unit to Fight Against Online Crime

Android or iOS - How Much Data Google Can Get from You Using This One Toggle Alone

Google Assistant/Home and Home Can Control Smart Locks Soon