Last week, Google announced a bug bounty reward of $1 million to anyone who could carry out a full chain remote code execution exploit on the Titan M secure chip within Pixel devices (this comes shortly after Apple launched its own $1 million bounty at Black Hat USA this year). On top of that, they’re offering a 50% bonus if the researcher can carry out the hack on a version of Android that’s still in developer preview stages, making the top prize up to $1.5 million if you hadn’t already done the math.
Hackers today have a few options with the bugs they uncover:
- Do nothing with bugs they find
- Use the exploits themselves
- Sell to an offensive buyer or get a job for one
- Sell to the defensive buyer or get a job with one.
Casey Ellis, Bugcrowd founder, chairman, and CTO weighs in the motivations and increasing arms race for these bugs:
When it comes to Google’s updated bug bounty reward program, it’s important to note that similar to Apple’s bug bounty program, the skills needed to find these types of vulnerabilities in Google devices are rare and often tied up in the offensive market–which is why the payout is so high.
By upping the incentive to hackers, Google is making bug hunting for them more attractive, especially to those that might teeter the line between whitehat and blackhat. This also gives hackers who previously could have sold their discoveries to brokers like Zerodium or to international governments more incentive to help with the problem of defense, instead of leaving users vulnerable as they support the offensive market.
At Bugcrowd, we love seeing so many established tech giants working with the whitehat hacker community, upping their incentives and competing head-to-head to match the effort that goes into finding these bugs, in an effort to create more secure products.
Interested in running a program? Learn more about Bugcrowd Bug Bounty programs here: https://www.bugcrowd.com/products/bug-bounty/