Google expanded its Android Security Rewards program to include new bug categories and higher payouts, including a top prize of $1.5 million.
Jessica Lin, program manager on the Android Security Team at Google, detailed the changes, including a top prize of $1 million for “a full chain remote code execution exploit with persistence which compromises the Titan M secure element” on newer Pixel devices.
“Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million,” Lin wrote in a blog post. “We have added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass.”
According to the Android Security Rewards rules, the program only includes vulnerabilities affecting Pixel 3, Pixel 3A and Pixel 4 devices. The new data exfiltration rewards go up to $250,000 for “high-value data secured by a Secure Element” and up to $500,000 for data secured by the Pixel Titan M chip.
The new lock screen bypass reward applies “to lock screen bypass exploits achieved via software that would affect multiple or all devices,” but specifically excludes spoofing attacks against biometric sensors. Researchers have shown in the past that fake fingerprints can be used to fool sensors and realistic masks can sometimes fool facial recognition as well.
Lin added that the Android Security Rewards program has seen new milestones, including $1.5 million paid out over the past year, $4 million in payouts in the four years the program has been running, and the top reward ever paid out of $161,337.
A Google spokesperson told SearchSecurity that raising the reward amounts was done because, “We think the Android Security Rewards program has proven to be a huge benefit to the community, so we want to continue to incentivize the best researchers in the world to participate.”
Google isn’t the only company raising exploit rewards. In August, Apple increased the maximum bug bounty payouts from $200,000 to $1 million. In September, Zerodium, a private company that purchases exploits in order to resell to governments and law enforcement, raised its maximum payout to $2.5 million.
However, Katie Moussouris, founder and CEO of Luta Security, said on Twitter that increasing bug bounty rewards like this are actually a “perverse incentive.”
“Just like when Apple raised their bug bounty to $1M, Google’s move won’t compete [with] the ‘black market’ which can raise prices anytime,” Moussouris wrote on Twitter. “This price for external research raises questions for retention and recruitment of internal talent meant to prevent flaws.”
Moussouris has criticized large bug bounty payouts in the past. In August, she argued that unless rewards are set at a level less than “the cash compensation of each employee and contractor” capable of creating an exploit, these rewards are more of a publicity stunt and create “no material advantage over an offense market that isn’t trying to prevent these bugs in the first place.”
One can’t simultaneously claim that higher bug bounties compete with the offense market, while also living in a world in which offense market prices have skyrocketed anyway. Driving offense market prices up further by increasing defense prices is an already lost gambit for defense,” Moussouris tweeted in August. “If you’re that concerned about repressive regimes acquiring exploits/bugs via offense markets, you should be advocating for pay inside companies to be net greater than bug bounty prices.”