Google Quadruples Top Reward For Hacking Android To $200,000

Krystalo quotes a report from VentureBeat: Google has paid security researchers millions of dollars since launching its bug bounty program in 2010. The company today expanded its Android Security Rewards program because "no researcher has claimed the top reward for an exploit chain in two years." Right. Well, the program has only been around for two years -- a Google spokesperson confirmed that nobody has ever claimed the top reward. The Android team is making two bug bounty increases today. The reward for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise has quadrupled from $50,000 to $200,000. The reward for a remote kernel exploit has quintupled from $30,000 to $150,000. Want to make six figures? Just figure out how to hack Android.

Why make six when you can make eight or nine?

[Gravis+Zero]

It's true that nobody has claimed the prize but it's also true that you can make significantly more money by making and licensing an exploit to governments. The FBI paid out $1M just to unlock an old ass iPhone so how much do you think they would pay to remotely exploit the latest versions of Android?

Google's payouts are not proportional to their market value and that's why people aren't claiming them.