Security researchers have failed to win the top reward in Google’s Android bug bounty program once again. This is the third year in a row bug hunters fail to win the largest prize Google is willing to pay for any type of security-related bug.
Anyone who would have submitted a successful submission for a remote exploit chain leading to a TrustZone or Verified Boot compromise on an Android device could have earned up to $200,000, according to the Android Security Rewards, the name of Google’s Android bug bounty program.
Over the years, researchers have found it very difficult to put together remote exploit chains that could compromise TrustZone or Verified Boot, two of the Android OS’ most powerful security features.
Google offered meager rewards in the program’s first year, in 2015, but seeing that researchers weren’t coming up with remote exploits against TrustZone or Verified Boot, the company increased rewards to $50,000 in June 2016, and then to $200,000 last year, in June 2017.
Project Zero, Google’s in-house team of security researchers, also held their own separate contest between September 2016 and March 2017, during which they also offered a $200,000 reward for the same type of remote Android hack, but nobody managed to claim that prize either.
But despite failing to gain the top prize in Google’s Android bug bounty, researchers were extremely prodigious in finding other security flaws. In a blog post today, Google said that since the program’s launch in 2015, the company paid over $3 million in rewards, with roughly $1 million per year.
In a retrospective of the past year, Jason Woloz and Mayank Jain of the Android Security & Privacy Team said 99 different bug hunters submitted 470 vulnerability reports in the past year.
The average payout per approved bug report was $2,600, while the average payout per researcher was $12,500, up 23 percent compared to last year.
This year’s highest bug payout went to Guang Gong, a Chinese security researcher with Alpha Team at Qihoo 360 Technology Co. Ltd., who received $105,000 for a remote exploit chain formed of two vulnerabilities (CVE-2017-5116 and CVE-2017-14904) against a Google Pixel device. To date, this is Google’s highest payout for an Android bug.
But bug hunters were also successful in another Android-related bug bounty program, which is the Google Play Security Reward Program.
Launched last year in October, this program rewards researchers who find bugs in popular third-party Android apps. Google said it accepted 30 bug reports in the past year and paid a combined bounty amount of over $100,000.
Last but not least, similar to last year, Google also published today a list of 250 Android smartphone models that are currently running a version of the Android OS running a security update from the last 90 days.
Google started publishing this list last year in an effort to recognize phone makers who keep their devices up to date, and also provide a guiding list for users who want to purchase a device that regularly receives security updates.
This year’s list includes devices from makers such as ANS, ASUS, BlackBerry, Blu, bq, Docomo, Essential, Fujitsu, General Mobile, HTC, Huawei, Itel, Kyocera, Lanix, Lava, LGE, Motorola, Nokia, OnePlus, Oppo, Positivo, Samsung, Sharp, Sony, Tecno, Vestel, Vivo, Vodafone, Xiaomi, ZTE, and, of course, Google itself.