Google on Thursday expanded its Android Security Rewards Program by “introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.”
For those unaware, Google had launched the Android Security Rewards (ASR) program in 2015. Until now, the highest payout on Google’s Bug Bounty Program was just over $200,000.
Over the past years, Google has paid out over four million dollars to security researchers for more than 1,800 vulnerability reports since its launch to help keep the Android ecosystem safe.
According to data from Gartner, the Titan M chip was first introduced with the Pixel 3, which was rated as having strong security more than any other device tested. The same chip can be found in the Pixel 4 lineup.
The bounty for this exploit can go up to $1.5 million, if the exploit chain is performed on “specific developer preview versions” of Android. Additionally, Google has added a new “data exfiltration reward” category that can go up to $500,000 for a high value data secured by Pixel Titan M, and up to $250,000 for high value data secured by a Secure Element.
Casey Ellis, founder and CTO of Bugcrowd, said Google’s bounty has increased because “the skills needed to find these types of vulnerabilities in Google devices are rare and often tied up in the offensive market.”
“By upping the incentive to hackers, Google is making bug hunting for them more attractive, especially to those that might teeter the line between whitehat and blackhat,” he added.
Google says it has paid a total of around $1.5 million in rewards during the past 12 months. Here are some highlights of the payouts made in 2019:
- Total payouts in the last 12 months have been over $1.5 million.
- Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher!
- The top reward paid out in 2019 was $161,337.
The changes to the program have gone live since November 21, 2019, and any bugs reported after this date will be paid as per the new rules of the program.