Google awards record $112,500 bug bounty for Android exploit chain
Google awarded a record $112,500 bug bounty to a Chinese security researcher after he submitted the first working Android remote exploit chain since the company’s Android Security Rewards program raised top payout levels in 2017. Guang Gong, a researcher who works for billion-dollar Chinese security firm Qihoo 360 Technology, submitted the bugs in August. The bugs, CVE-2017-5116 and CVE-2017-14904, were resolved in a December 2017 security update. Google announced the full payout this week. The exploit chain goes after the Pixel, Google’s own flagship mobile device. It’s widely touted as the most secure Android phone on the market. The first vulnerability allows a remote attacker to execute arbitrary code, via crafted HTML, inside the Chrome browser’s sandbox. The second is a bug that allows an escape from Chrome’s sandbox. Combined, the vulnerabilities allow attackers to remotely inject arbitrary code into the Pixel’s system_server process if the phone’s user accesses certain malicious URLs in Chrome. Gong and the Qihoo 360 team know a thing or two […]
The post Google awards record $112,500 bug bounty for Android exploit chain appeared first on Cyberscoop.
Continue reading Google awards record $112,500 bug bounty for Android exploit chain