A whopping sum of $112,500 (roughly Rs. 71,83,300) has been awarded to a security researcher responsible for exposing a security flaw in Google Pixel smartphones. In August 2017, Guang Gong submitted an exploit chain via the Android Security Rewards (ASR) program. It was the first working remote exploit chain since the expansion of the ASR program. Gong was awarded a huge sum of $105,000 (roughly Rs. 67,04,40), which Google claims to be the highest reward in the history of ASR program. In addition to it, she was awarded $7,500 (roughly Rs. 4,78,900) as well under the Chrome Rewards program.
On Wednesday, further details were revealed by Google at its Android Developer’s blog. The search giant was thankful to Gong and the entire researcher community for finding and submitting a proper report of security risks. Google added that the complete problem was resolved as a part of the December 2017 monthly security update, which included a total of 42 bugs.
The exploit chain encompasses two bugs—CVE-2017-5116 and CVE-2017-14904. On one hand, the first one is a V8 engine bug that used to get remote code execution in sandboxed Chrome render process, on the other hand, the latter is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Person familiar with this exploit can inject arbitrary code into the system server by accessing a malicious URL in Chrome, says Google.
Through the Android Security Rewards program, Google recognizes the contributions of security researchers who have been working on Android’s security features. In October 2017, the smartphones covered under this program comprised of Google Pixel 2, Google Pixel and Pixel XL, and Google Pixel C.
In June 2017, Google had increased the ASR payout rewards for remote exploit chain from $50,000 to $200,000. Google has awarded researchers over $1.5 million (roughly Rs. 9,57,77,200) till now. The top research team has been earning around $300,000 (roughly Rs. 1,91,55,450) for 118 vulnerability reports.