Google to shower 50%+ more gold on code-bearing bug hunters

Annihilating Android flaws now scores $50k

4 Reg comments Got Tips?

Google will pay out potentially 50 per cent or more cash to bug hunters who couple software vulnerability reports with proof-of-concept exploit code or patches.

Example exploits alone will bump critical bug payments by 33 per cent from US$3,000 (£2,101, A$4,060) to US$4,000 (£2,802, A$5,413). A "high quality" bug report with code, tests or patches will net 50 per cent more. A kernel exploit will now fetch US$30,000, up from US$20,000, and exploits that compromise an ARM processor's TrustZone or Android's Verified Boot will fetch US$50,000, up from US$30,000.

The increases come as Google today says it has dished out US$550,000 (£385,049, A$744,856) in rewards to bug hunters who warned of flaws in the Android operating system.

The cash over the first year of Google's Security Rewards program goes to 82 researchers, most of whom took advantage of the OS's vulnerable media processing code which has resulted in many phone-compromising bugs.

The platform is, thanks to the effort, hardened in the upcoming Android N, aka version seven.

"While the program is focused on Nexus devices and has a primary goal of improving Android security, more than a quarter of the issues were reported in code that is developed and used outside of the Android Open Source Project," Android security program manager Quan To.

"Fixing these kernel and device driver bugs helps improve security of the broader mobile industry and even some non-mobile platforms."

While most bug hunters landed US$6700 (£4696, A$9071) for their total bugs, researcher known as (@heisecode) scored US$75,750 (£53,119 A$102,539) for 26 vulnerability reports.

Mountain View paid 15 researchers each more than US$10,000 (£7010, A$13,537) for their bugs.

No participant managed to find a complete remote exploit chain leading to TrustZone or Verified Boot compromise, a feat which would have earnt US$50,000 (£35,065, A$67,678), newly-increased from the former max payout of US$30,000 (£21,033, A$40,607). ®


Biting the hand that feeds IT © 1998–2020