In 2015, Google launched the Android Security Rewards program which pays out rewards to those who discover bugs and system exploits within the OS. Now, Google has announced that it is increasing the maximum payout to $200,000.
Bug Bounty Programs
The Android Security Rewards program is similar to other programs of its kind in the tech industry. If a security firm, or individual, discovers an exploit within Android OS and reports it to Google then they'll receive a cash reward. From there, Google uses that information to fix the exploit and avoid hacks by malicious organizations.
The payouts vary based on the severity of the exploits, but, overall, Google has paid security researchers more than $1.5 million since the program began. Despite this, no one has managed to claim Google's largest bounties so the company has decided to substantially increase the reward in hopes of attracting more engineers and researchers to the program.
The increased rewards apply to two bounties. The first is for remote kernel exploits. Android is based on the open-source Linux OS which has been used to create the popular Ubuntu operating system. As powerful and adaptable as Linux is, it does contain several security issues. The most troubling — at least from Google's perspective — are called remote kernel exploits, which could allow unauthorized users to gain remote control of Android devices or steal a user's personal data. Google has increased the payout for discovering a remote kernel exploit from $30,000 to $150,000.
Trust Zone Or Verified Boot Compromises
Trust Zone is a system on a chip technology that helps to ensure that security software, system boot settings, and biometric data, such as the fingerprint scans used in touch ID systems, are secure. It goes without saying that this is data that no one wants exposed to hackers.
Verified Boot was introduced in Android KitKat as a means of ensuring that the phone's software had not been altered. Each time the phone boots up, it performs a check and, on devices running Android 6.0 and higher, will warn users of tampering. Understandably, hackers would love a way around Verified Boot.
The reward for either of these exploits has been increased from $50,000 to $200,000
Assuming no researchers take the bait, it is likely that Google will increase the reward again until someone decides it is worth their time to discover such an exploit. After all, every software has flaws. Eventually, someone will discover one of these errors. It is just a question of whether it will be someone working for Google or a hacker trying to steal personal data.