Google has sharply increased the cash rewards available to security researchers who find certain categories of vulnerabilities in its products.
Starting this week, the company will award $200,000 to any researcher that can demonstrate a successful remote exploit against Google’s TrustZone and Verified Boot technologies. That number represents a four-fold increase over the $50,000 it used to offer for the same vulnerabilities previously.
Rewards for remote kernel exploits have been bumped up from $30,000 to $150,000.
No researcher has successfully claimed rewards for finding vulnerabilities and developing exploits in these categories in the past two years, said Mayank Jain and Scott Roberts, two members of the Android Security team in a blog. So Google has decided to increase the top-line payouts for these exploits, they noted.
The move to increase the reward money appears designed to get more security researchers to try and take a crack at the company’s core technologies.
Google launched its Android Security Rewards program two years ago. Like other bug bounty programs including Google’s own Vulnerability Reward Program, the Android program rewards security researchers who find and report Android security vulnerabilities to the company in a responsible manner. In 2016, Android had the dubious distinction of being the buggiest operating system with more than 520 distinct vulnerabilities reported in the operating system.
The Google program applies to vulnerabilities that are discovered in versions of Android running on Google’s Pixel, Pixel XL and Pixel C mobile devices. Bugs that are eligible for reward include those that are discovered in Android Open Source Project code, in libraries and drivers, the operating system kernel and the TrustZone device level security mechanism for protecting encryption keys and other sensitive data.
As with other bug bounty programs, Google’s reward amounts vary depending on the criticality of the bug. Security researchers who report low severity bugs can earn up to $330 per bug, moderate bugs receive between $20,000 and $35,000 while high severity flaws can fetch between $75,000 and $100,000. Critical flaws, such as those in TrustZone and Verified Boot now fetch up to $200,000.
According to Jain and Roberts, Google has so far paid a total of more than $1.5 million to bug hunters since the company launched the Android rewards program two years ago. About $1.1 million of that amount was paid out in the last 12 months alone, they noted.
About 31 individuals made $10,000 or more reporting Android bugs to Google. Members of the CORE Team, a group of independent security researchers from academia and industry, collectively earned more than $300,000 in bug bounties in the past 12 months. The group reported 118 vulnerabilities to Google in total, Jain and Roberts said.
On top of rewarding security researchers, Google is also working with Android device makers to get them to implement Android security patches more quickly. Google moved to a monthly security patch release cycle in August 2015. Since then the company has been aggressive about ensuring that its own Android products are patched quickly and has been coaxing others to do the same.
A majority of deployed Android devices from about one dozen vendors currently have patches that are less than 90 days old. Among them are BlackBerry, Fujitsu, Motorola and Samsung, Jain and Roberts said.