Google has refreshed its Android Security Rewards program and will now offer two new top prizes of $1 million and $1.5 million. But finding bugs this valuable won’t be easy and researchers could earn more by selling them elsewhere.
Fast forward to 2019 and the ASR now has a top payout of $1 million per bug. But it needs to be a “full chain remote code execution exploits with persistence” that must compromise a tougher hardware target: Google’s Titan M secure chip, found on Pixel devices and the ChromeOS Pixelbook Chromebook.
Google’s new pricing follows Apple’s update in August, which raised the top reward for an iPhone exploit to $1 million for a flaw in the iOS kernel that achieves full control over an iPhone without the victim clicking anything, aka a ‘zero click exploit’.
Google today also announced a special program with a 50% bonus for exploits found on “specific” developer preview versions of Android. Google doesn't explain what "specific" means, but the top reward here is $1.5 million. Google’s Android bonus mirrors Apple’s top-up for rare flaws found in preview versions of iOS.
Soon after Apple changed its new top rewards, exploit broker Zerodium announced it would pay $2.5 million for an exploit chain for Android, which for the first time was more than what it offered for equivalent iOS exploits. Zerodium justified the change in order because Google and Samsung had improved Android security dramatically, while there was a “bunch of 1-click iOS exploits on the market”.
The veneer of Apple’s superior security in iOS came crashing down this year after Google Project Zero researchers disclosed a handful of iOS flaws, some of them zero click, mostly in Apple’s iMessage messaging system.
Google today also added a new “data exfiltration reward” category which offers up to $500,000 for a high value data secured by Pixel Titan M, and up to $250,000 for high value data secured by a Secure Element.
The Android-maker gave an update on Android bug bounty payments in 2019. It says it’s paid over $1.5 million to researchers over the past 12 months and suggests researchers are getting more per find.
Over 100 participating researchers received an average reward amount of over $3,800 per bug, which was a 46% increase on last year, Google said. Additionally, on average each researcher was paid $15,000, a figure that was up by 20% from last year.
Last year Google reported that average ASR rewards were $2,600 per reward, up from $2,150 per reward in 2017.
But these new top payouts will be pie-in-the-sky targets for researchers. Illustrating just how difficult it could be for a researcher to find a $1 million exploit, Google notes that the top single reward it paid in 2019 was $161,337.