Google announced that it paid its largest-ever bug bounty reward in 2022 for a security flaw worth $605,000 (approximately £503,000) in compensation.
The record reward was for a bug affecting the Android mobile operating system (OS) but Google did not offer any further details regarding the vulnerability or exploit chain itself.
Google’s lack of transparency regarding the bug’s nature coupled with the large reward could offer suggestions about the severity of the issue that is most likely now patched.
A researcher known by the alias of ‘gzobqq’ was singled out as the individual who earned the record-breaking reward.
They were also the recipient of 2021’s most valuable reward for a critical exploit chain in Android, tracked as CVE-2021-39698, earning $157,000 (£130,000).
Google’s outline of its rewards philosophy indicates that when deciding on the reward’s sum, the severity of the bug and the sensitivity of the affected product are considered.
Remote code execution vulnerabilities - ones that offer cyber attackers full access to a target device to launch their own malicious code - are seen as the most severe type of bugs and are likely to yield the most lucrative rewards.
The very top awards will also provide “near-complete control over user accounts”, Google said, such as cross-site scripting (XSS) flaws in the origin at accounts.google.com.
Also among the more lucrative awards are bugs that facilitate attacks on multiple users through a single compromised account or attack other non-Google accounts belonging to the same victim.
Google said that reward sums often change over time “to provide balanced incentives for external researchers - especially as we find certain classes of targets more difficult to attack”.
“When receiving multiple reports, we typically only reward once per root cause and group similar vulnerabilities together. For example, if there's a service that accidentally disabled CSRF protection, we wouldn't issue a reward for every handler that had CSRF protection disabled, but would instead issue a reward for the most serious CSRF vulnerability in the code.
“We might also give small bonus increases of around $1,000 for particularly clever or interesting vulnerabilities.”
According to the Android-specific bug bounty rules, the most lucrative payouts are made when flaws in Google’s Titan M chip are discovered.
Titan M was introduced in 2018 on the Google Pixel 3 smartphone. It acts as a physical security layer for mobile devices, aimed at reducing the likelihood of data exfiltration, data interception, and phishing.
A roadmap to Zero Trust with Cloudflare and CrowdStrike
Achieve end-to-end protection across endpoints, networks, and applications
Zero-click vulnerabilities allowing for code execution with persistence on a Titan M chip are eligible for a maximum reward of $1 million (£831,000) and $500,000 without persistence.
“For the full $1,000,000 reward, the Pixel Titan M exploit must be remote, demonstrate persistence, work on all vulnerable builds and devices, trigger with zero clicks, be easily reproducible with minimal visibility to the user, and have a write-up describing each step of the exploit chain,” Google said.
Data exfiltration vulnerabilities affecting Titan M chips also yield the biggest payouts of the kind. A maximum sum of $500,000 can be awarded for flaws that allow for the theft of high-value data secured by Titan M, and up to $250,000 for data secured by a “secure element”.
“Exploit chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus.”
Record-breaking year of payouts
Google also revealed that it paid 703 security researchers, based in 68 different countries, more than $12 million across 2022, an increase from $8.7 million in 2021 and $6.7 million in 2020.
Aman Pandey, founder of and CEO at Bugsmirror, was given a special mention for submitting more than 200 bugs to the Android bug bounty programme during the year, taking his total successful submissions to more than 500 since starting in 2019.
In the Chrome-specific bug bounty programme, Rory McNamara, an application security engineer, became the highest-rewarded researcher after participating for six straight years.
