Google announced that it compensated its premier-ever bug bounty reward in 2022 for a security flaw worth $605,000 (about £503,000) in compensation.
The record reward was for a bug impacting the Android cellular running process (OS) but Google did not offer you any further more facts with regards to the vulnerability or exploit chain alone.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Google’s absence of transparency relating to the bug’s nature coupled with the substantial reward could offer strategies about the severity of the issue that is most likely now patched.
A researcher recognised by the alias of ‘gzobqq’ was singled out as the specific who acquired the history-breaking reward.
They were also the recipient of 2021’s most valuable reward for a critical exploit chain in Android, tracked as CVE-2021-39698, earning $157,000 (£130,000).
Google’s define of its benefits philosophy indicates that when choosing on the reward’s sum, the severity of the bug and the sensitivity of the influenced item are considered.
Distant code execution vulnerabilities – kinds that offer cyber attackers entire access to a target system to launch their possess malicious code – are viewed as the most significant variety of bugs and are possible to generate the most lucrative rewards.
The extremely top awards will also present “near-full control more than consumer accounts”, Google mentioned, these as cross-web site scripting (XSS) flaws in the origin at accounts.google.com.
Also amid the more worthwhile awards are bugs that facilitate attacks on numerous users by a one compromised account or attack other non-Google accounts belonging to the similar victim.
Google reported that reward sums generally transform over time “to offer well balanced incentives for external researchers – primarily as we obtain sure courses of targets far more complicated to attack”.
“When getting many reports, we typically only reward after for each root bring about and group related vulnerabilities together. For illustration, if there is certainly a support that accidentally disabled CSRF defense, we wouldn’t issue a reward for each handler that had CSRF defense disabled, but would rather issue a reward for the most really serious CSRF vulnerability in the code.
“We could also give small bonus raises of about $1,000 for particularly clever or exciting vulnerabilities.”
In accordance to the Android-precise bug bounty guidelines, the most worthwhile payouts are manufactured when flaws in Google’s Titan M chip are learned.
Titan M was launched in 2018 on the Google Pixel 3 smartphone. It acts as a physical security layer for mobile products, aimed at lowering the probability of details exfiltration, details interception, and phishing.
Zero-simply click vulnerabilities enabling for code execution with persistence on a Titan M chip are eligible for a highest reward of $1 million (£831,000) and $500,000 without the need of persistence.
“For the entire $1,000,000 reward, the Pixel Titan M exploit need to be remote, show persistence, do the job on all susceptible builds and devices, trigger with zero clicks, be effortlessly reproducible with minimal visibility to the person, and have a write-up describing every stage of the exploit chain,” Google claimed.
Details exfiltration vulnerabilities impacting Titan M chips also produce the most significant payouts of the kind. A most sum of $500,000 can be awarded for flaws that enable for the theft of significant-worth knowledge secured by Titan M, and up to $250,000 for facts secured by a “secure element”.
“Exploit chains discovered on unique developer preview versions of Android are eligible for up to an supplemental 50% reward bonus.”
Document-breaking year of payouts
Google also unveiled that it paid 703 security scientists, primarily based in 68 distinctive international locations, a lot more than $12 million throughout 2022, an boost from $8.7 million in 2021 and $6.7 million in 2020.
Aman Pandey, founder of and CEO at Bugsmirror, was given a special mention for distributing much more than 200 bugs to the Android bug bounty programme during the yr, taking his overall effective submissions to a lot more than 500 since starting up in 2019.
In the Chrome-distinct bug bounty programme, Rory McNamara, an application security engineer, grew to become the highest-rewarded researcher just after collaborating for 6 straight a long time.
Some areas of this report are sourced from: