Google has Given $112,500 (roughly Rs. 71,83,300) to a security researcher exposing a security flaw in Google Pixel smartphones.
Guang Gong, in August 2017 submitted an exploit chain through the Android Security Rewards (ASR) programme. It was the first working remote exploit series because the search giant has expanded the ASR program. Gong was granted $105,000 (roughly Rs. 67,04,40), that Google claims is the maximum benefit from the ASR programme’s background. Furthermore, she had been given $7,500 (approximately Rs. 4,78,900) beneath the Chrome Rewards program too.
The technical details of the exploit were shown by Google on its own Android Developer’s blog on Wednesday. The research giant thanked Gong, who is out of Alpha Team, Qihoo 360 Technology, and the whole researcher for finding and responsibly reporting security vulnerabilities. Meanwhile, Google reported the complete set of issues was resolved as part of the December 2017 monthly security update, which curbed a total of 42 bugs.
While the primary one is a V8 engine bug that is used to acquire remote code execution in sandboxed Chrome render process the latter is really a bug in Android’s libgralloc module that is used to escape Chrome’s sandbox. Google says this exploit chain can be used to inject arbitrary code to system_server by accessing a malicious URL in Chrome.
Google, through the Android Security Rewards programme, recognises the donations of safety researchers working on Android’s safety attributes.
In June 2017, Google had increased the ASR payout benefits for remote exploit series or exploits leading to TrustZone or Verified Boot compromise from $50,000 (approximately Rs. 31,92,600
) to $200,000 (approximately Rs. 1,27,70,300). Through this application, Google has awarded researchers over $1.5 million (roughly Rs. 9,57,77,200) to date, with the very best research staff earning $300,000 (roughly Rs. 1,91,55,450)for 118 vulnerability reports.