Finding the right kind of Android bug could net you a massive payday of $1.5 million. That’s a significant increase to Google’s bug-bounty program, which previously paid a maximum of $200,000 for certain vulnerabilities.
“Today, we’re expanding the program and increasing reward amounts,” read the announcement on Google’s security blog. “We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50 percent bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.”
Over the past 12 months, Google has paid out $1.5 million to security researchers, with an average award of $3,800 per discovered vulnerability (supposedly a 46 percent increase year-over-year). “The highest reward paid out to a member of the research community was for a report from Guang Gong (@oldfresher) of Alpha Lab, Qihoo 360 Technology Co. Ltd,” the blog continued. “This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337.”
Bug Bounties: Lucrative Before Google
Even before Google’s most recent announcement, bug bounties have become an avenue to earning real cash. Earlier this year, for example, HackerOne reported that six hackers had become millionaires off bug bounties.
“When I first started, the industry was in its infancy. Only a handful of companies invited hackers to find and share vulnerabilities,” Nathaniel Wakelam, one of those bug-bounty millionaires, told HackerOne at the time. “Six years later, the space has changed dramatically. Bug bounties have given me the flexibility to work from anywhere in the world, forged connections with people within an industry that I respect, created a secondary income stream within my own life, and allowed me the opportunity to branch out and pursue other business ventures.”
Indeed, major companies have turned increasingly to bug bounties to discover vulnerabilities in key platforms. Ahead of this August’s Black Hat security conference, Microsoft announced not only the Azure Security Lab, an online sandbox for stress-testing Azure vulnerabilities, but also a top prize of $300,000 for a virtual machine escape (demonstrating “a functional exploit enabling an escape from a guest VM to the host or to another guest VM”). That’s in addition to doublingthe top payout for critical targets in the mainstream Azure bug bounty program (to $40,000).
Apple is so worried about someone hacking its prize iPhone infrastructure, meanwhile, that it now pays out one million dollars to any researcher who reports certain types of smartphone-based vulnerabilities—specifically, a remote attack that allows an attacker to gain total control of a user’s iPhone without that user doing anything to help. Apple is also willing to pay out hundreds of thousands of dollars for discovering vulnerabilities that crack an iPhone’s lock screen, and for network vulnerabilities.
If you’re interested in earning some money off your hacking skills, in other words, there’s no better time to explore bug-bounty programs. And if you’re curious about cybersecurity as a profession, check out the certifications and skills that employers really want.
