Great news for bug bounty hunters – Google has announced that its Android Security Rewards (ASR) program is increasing its payouts. The highest bounty is now $1.5 million.
Did you know? The Android Security Rewards (ASR) program was created in 2015 to reward researchers who discover and report security bugs in Android. Over the past 4 years, Google has awarded more than 1,800 reports.
The total amount of rewards is four million dollars.
Google Is Expanding Its Android Security Rewards Program
The tech giant is now expanding the ASR program, and is introducing “a top prize of $1 million” which would be given to a researcher who discovers a full chain remote code execution exploit with persistence against the Titan M component on Pixel Devices. In addition, Google is launching another program that offers 50% bonus for exploits in specific developer preview Android versions.
This makes the top prize $1.5 million, the official announcement said.
Google has also added several other categories of exploits to ASR, including data exfiltration and lockscreen bypass exploits, which will be paid up to $500,000 according to the category.
The biggest payout so far has been given to Guang Gong of Alpha Lab, Qihoo 360 Technology, for a 1-click remote code execution exploit chain on the Pixel 3 device. The researcher received $161,337 from the ASR program, and $40,000 by Chrome Rewards Program. In total, Gong received a payment of $201,337, which is the highest reward for a single exploit chain across all Google VRP programs.
The changes in the bug bounty program are valid from November 21, and any reports submitted prior to this date will be evaluated according to the previous pay list.
Just last month, an unpatched Android bug was disclosed by Google Project Zero researcher Maddie Stone. Owners of Huawei, Xiaomi, Samsung, LG and Google phones are affected by the flaw, described as a use-after-free memory condition in the Android Binder component, which can result in escalation of privileges.