Google Ups the Ante for Bug Hunters
In a bold move to enhance the security of its Android applications, Google has significantly raised the stakes for cybersecurity researchers, commonly known as bug hunters, by offering more lucrative rewards for discovering vulnerabilities. The tech giant has multiplied the potential earnings for certain categories of bugs by as much as tenfold, a change that underscores the value Google places on fortifying its digital fortress.
Google’s Information Security Engineer, Kristoffer Blasiak, has highlighted the substantial increase in bounty payouts, particularly noting that Remote Arbitrary Code Execution in a Tier 1 app has seen a reward jump from ,000 to a staggering 0,000. This adjustment is part of Google’s strategy to not only attract more researchers but also to encourage the submission of high-quality reports that enable quicker and more effective decision-making by the Mobile Vulnerability Reward Program team.
Launched in May 2023, the Google Mobile Vulnerability Reward Program encompasses Android apps developed by Google and its subsidiaries, such as Fitbit, Waymo, and Waze. The program classifies these apps into three tiers based on their interaction with user data and Google’s services:
- Tier 1: High-priority apps including Google Play Services, Android Google Search App (AGSA), Google Cloud, and Gmail.
- Tier 2: Apps that have interactions with Tier 1 applications, user data, or Google’s services.
- Tier 3: Apps that do not handle user data or interact with Google’s services.
With the recent updates, a flaw in a Tier 1 app capable of arbitrary code execution, which can be activated remotely without user interaction, could net the finder a cool 0,000. If the bug requires user interaction, such as clicking a link, the reward is reduced by half.
Blasiak further explained that the increased rewards are strategically targeted at areas where Google is particularly eager to strengthen security. For instance, the rewards for uncovering data theft vulnerabilities have seen a significant boost, with the potential for a ,000 payout if the bug allows remote exploitation without user interaction, and ,500 if user involvement is necessary.
While Tier 2 and Tier 3 app vulnerabilities are also eligible for rewards, the bounties are comparatively smaller. Google is also incentivizing researchers to submit exceptionally detailed reports—those that include a proposed fix, a thorough root cause analysis, and a clear demonstration of the bug’s impact—by promising to increase the final reward amount by 1.5 times.
The team has a message for bug hunters: “Please be succinct: Your report is triaged by security engineers and a short proof-of-concept is more valuable than a video explaining the consequences of a specific bug.”
Encouraging Ethical Hackers to Uncover Flaws
These enhancements to the reward program were introduced following feedback from some of the most prolific contributors in the bug hunting community. This approach is not new to Google; just a year prior, the company had announced significant rewards for the discovery of security bugs in Chrome that could be combined for a full exploit.
Google’s commitment to offering higher bounties is backed by recent research from the University of Pittsburgh and Carnegie Mellon University, which supports the notion that more substantial rewards motivate ethical hackers to invest greater effort. This, in turn, increases the likelihood of them identifying critical vulnerabilities before malicious actors can exploit them.
