Google pays largest-ever bug bounty worth £500,000
The company remained tight-lipped over the exploit itself, but speculation is possible given its publicly available rewards breakdown
Google announced that it paid its largest-ever bug bounty reward in 2022 for a security flaw worth $605,000 (approximately £503,000) in compensation.
The record reward was for a bug affecting the Android mobile operating system (OS) but Google did not offer any further details regarding the vulnerability or exploit chain itself.
Google’s lack of transparency regarding the bug’s nature coupled with the large reward could offer suggestions about the severity of the issue that is most likely now patched.
A researcher known by the alias of ‘gzobqq’ was singled out as the individual who earned the record-breaking reward.
They were also the recipient of 2021’s most valuable reward for a critical exploit chain in Android, tracked as CVE-2021-39698, earning $157,000 (£130,000).
Google’s outline of its rewards philosophy indicates that when deciding on the reward’s sum, the severity of the bug and the sensitivity of the affected product are considered.
Remote code execution vulnerabilities - ones that offer cyber attackers full access to a target device to launch their own malicious code - are seen as the most severe type of bugs and are likely to yield the most lucrative rewards.
The very top awards will also provide “near-complete control over user accounts”, Google said, such as cross-site scripting (XSS) flaws in the origin at accounts.google.com.
Also among the more lucrative awards are bugs that facilitate attacks on multiple users through a single compromised account or attack other non-Google accounts belonging to the same victim.
Google said that reward sums often change over time “to provide balanced incentives for external researchers - especially as we find certain classes of targets more difficult to attack”.
“When receiving multiple reports, we typically only reward once per root cause and group similar vulnerabilities together. For example, if there's a service that accidentally disabled CSRF protection, we wouldn't issue a reward for every handler that had CSRF protection disabled, but would instead issue a reward for the most serious CSRF vulnerability in the code.
“We might also give small bonus increases of around $1,000 for particularly clever or interesting vulnerabilities.”
According to the Android-specific bug bounty rules, the most lucrative payouts are made when flaws in Google’s Titan M chip are discovered.
Titan M was introduced in 2018 on the Google Pixel 3 smartphone. It acts as a physical security layer for mobile devices, aimed at reducing the likelihood of data exfiltration, data interception, and phishing.
RELATED RESOURCE
A roadmap to Zero Trust with Cloudflare and CrowdStrike
Achieve end-to-end protection across endpoints, networks, and applications
Zero-click vulnerabilities allowing for code execution with persistence on a Titan M chip are eligible for a maximum reward of $1 million (£831,000) and $500,000 without persistence.
“For the full $1,000,000 reward, the Pixel Titan M exploit must be remote, demonstrate persistence, work on all vulnerable builds and devices, trigger with zero clicks, be easily reproducible with minimal visibility to the user, and have a write-up describing each step of the exploit chain,” Google said.
Data exfiltration vulnerabilities affecting Titan M chips also yield the biggest payouts of the kind. A maximum sum of $500,000 can be awarded for flaws that allow for the theft of high-value data secured by Titan M, and up to $250,000 for data secured by a “secure element”.
“Exploit chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus.”
Record-breaking year of payouts
Google also revealed that it paid 703 security researchers, based in 68 different countries, more than $12 million across 2022, an increase from $8.7 million in 2021 and $6.7 million in 2020.
Aman Pandey, founder of and CEO at Bugsmirror, was given a special mention for submitting more than 200 bugs to the Android bug bounty programme during the year, taking his total successful submissions to more than 500 since starting in 2019.
In the Chrome-specific bug bounty programme, Rory McNamara, an application security engineer, became the highest-rewarded researcher after participating for six straight years.
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
