Prolific bug hunter Guang Gong has earned the highest-ever payout for a vulnerability in the history of Google’s Android Security Rewards program, which began in 2015.
He earned a combined $112,500 for the disclosure of an Android exploit chain impacting Google’s Pixel handset that could allow an attacker to inject arbitrary code via a malicious URL accessed via the phone’s Chrome browser.
Gong, a researcher with Qihoo 360’s Alpha Team, earned $105,000 via Google’s Android Security Rewards program and a bonus $7,500 through the Chrome Rewards program. Google said the issues were patched as part of its December 2017 monthly security update.
The first vulnerability (CVE-2017-5116) is a V8 engine type confusion bug that allows “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML,” according to the MITRE description. The second flaw (CVE-2017-14904) is “a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox,” according to a description in an Android Developers Blog.
“Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome,” Google wrote.
— vangelis (@vangelis_at_POC) November 11, 2016
For years Gong, and Alpha Team, have been successful bug hunters discovering copious vulnerabilities in the Android ecosystem. At the 2016 PwnFest hacker contest Gong was awarded $120,000 in prize money by event sponsors for exploiting a zero-day vulnerability in Google’s Pixel phone in less than 60 seconds.
The largest-ever payout by the Android Security Rewards program comes on the heels of a decision by Google to increase the maximum bounty payouts for kernel exploits from $30,000 to $150,000 remote kernel exploit and $50,000 to $200,000 for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise.