Google gives 50% bonus to Android 13 Beta bug bounty hunters

Google has announced that all security researchers who report Android 13 Beta vulnerabilities through its Vulnerability Rewards Program (VRP) will get a 50% bonus on top of the standard reward until May 26th, 2022.

Bug hunters can get a maximum payout of $1.5 million for a full remote code execution exploit chain on the Titan M used in Google Pixel Phones running an Android 13 Beta build.

"Between April 26th, 2022 and May 26th, 2022 all security vulnerabilities that reproduce exclusively on Android 13 Beta 1 are eligible for a bonus 50% reward payout on top of the standard reward payout," the company says on the Bug Hunters portal.

"Vulnerabilities must be exclusive to Android 13 and must not reproduce on any other version of Android."

Google asked those who submit eligible vulnerabilities to include the phrase "Android 13 Beta" in the title of their reports to ensure that they're correctly tagged for this payout bonus program.

The list of qualifying flaws includes those found in Android Open Source Project (AOSP) and other OS code, as well as OEM libraries and drivers code, system on chip (SoC), MicroController Unit (MCU), and any other software used by Android devices if they impact the security of Google devices and platforms.

Security vulnerabilities discovered in the Android 13 Beta between 04/26/22 and 05/26/22 are eligible for a 50% bonus reward payout (up to a maximum of $1.5M for a full remote code execution exploit chain on the Titan M). Refer to Android rewards page for complete details.

— Google VRP (Google Bug Hunters) (@GoogleVRP) April 28, 2022

Researchers are also eligible for extra rewards if they provide full exploit chains combining multiple security flaws and demonstrating arbitrary code execution, data exfiltration, or a lock screen bypass (achieved via software).

The final reward amount for all reported bugs is at the discretion of Google's reward committee, and it depends on several factors, including (but not limited to) the availability of a buildable exploit, a detailed write-up, the attack vector, and the exploit's reliability.

"Exploit chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus," Google adds.

The maximum exploit reward for vulnerabilities allowing code execution reaches up to $1 million for Pixel Titan M bugs without considering the Android preview payout bonus.

Data exfiltration bugs can also earn researchers a reward of up to $500,000 for sensitive data secured by Pixel Titan M, while payouts for software-based lock screen bypasses can go up to $100,000.

Jan Keller, a Google VRP Technical Program Manager, revealed in July 2021 that Google has paid rewards to over 2,000 security researchers from 84 different countries for reporting over 11,000 bugs since launching its first VRP more than ten years ago.

In all, Google had paid over $29 million in bounty rewards since January 2010, when it launched the Chromium vulnerability reward program.

The company has awarded a record-breaking $8,700,000 in rewards in 2021, including a $157,000 payout for an exploit chain, the highest in Android VRP history.