Can you hack Android? Google will pay you $200,000 if you can find a way

If you are a tech-savvy hacker interested in earning yourself $200,000 (£156,000) by finding a critical vulnerability in the Android operating system then Google wants to hear from you, this week revealing it has quadrupled its top level bug bounty reward.

A working exploit leading to a compromise of Android's "TrustZone" of "Verified Boot" mechanisms will get you $200,000, up from $50,000 in 2016.

Additionally, a remote kernel proof-of-concept could leave you $150,000 better off, up from $30,000.

In the past year, Google said it had received more than 450 vulnerability reports from researchers, with the average pay-out per expert jumping by over 50%

.

The total amount of rewards issued doubled to a massive $1.1 million. It is clear white-hat hacking comes with some perks.

Due to this, Google said it had decided to increase the top-line pay-outs of its "Security Rewards" programme.

In a fresh update, published on 1 June, the Android Security team's Mayank Jain and Scott Roberts revealed that within the last two years no researcher had yet claimed the top reward – reserved for a highly-critical "remote exploit chain" leading to a full compromise.

The Google researchers wrote: "Two years ago, we launched the Android Security Rewards program. In its second year, we've seen great progress. Thank you to all the amazing researchers who submitted complete vulnerability reports to us last year.

"We're constantly working to improve the Android Security Rewards program and today we're making a few changes. In addition to rewarding for vulnerabilities, we continue to work with the broad and diverse Android ecosystem to protect users from issues reported through our program.

"We collaborate with manufacturers to ensure issues are fixed on their devices through monthly security updates. Over 100 device models have a majority of their deployed devices running a security update from the last 90 days. Thank you to everyone who helped make Android safer."

Bug bounty programmes have become popular with huge companies in recent years because they let white-hat hackers report critical (and non-critical) bugs and vulnerabilities in a safe manner. If responsible disclosure rules are followed, the pay-out can be lucrative.

"Through [Android Security Rewards] we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team," Google says on its website.

"The reward level is based on the bug severity and increases for complete reports that include reproduction code, test cases, and patches.

"Android Security Rewards covers bugs in code that runs on eligible devices and isn't already covered by other reward programs at Google. Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules."

The rise of Google shows no sign of slowing. In May this year, the firm revealed Android is now powering two billion active devices and its Google Drive service is now enjoyed by 800 million monthly active users. There's never been more incentive to find ghosts in the machine.

 SOURCE