Google is cranking up the top prize for its Android bug bounty program and offering $1 million USD (roughly $1.32 million CAD) to anyone who can compromise the Titan M security chip the search giant installs in its Pixel phones.
The new top prize is for a “full chain remote code execution exploit with persistence” of the Titan M security chip. Plus, Google’s offering a 50 percent bonus if a researcher finds an exploit on specific developer preview versions of Android. In other words, the top potential prize is now $1.5 million USD (approximately $1.99 million CAD).
Google first implemented the Titan M security chip with the Pixel 3. The chip acts as a protected area for your smartphone’s most sensitive data that’s separate from the main processor, which helps protect it against certain attacks. For example, Google says Titan M handles on-device protection for login credentials, disk encryption, app data and helps ensure the integrity of the operating system.
Additionally, the chip integrates with Android’s security key functionality and stores a person’s FIDO credentials.
All this is to say that Titan M is a crucial part of Pixel devices’ security. It’s no surprise, then, that Google wants to make sure it’s secure.
Along with the new Titan M rewards, Google also announced several new categories of exploits in the Android Security Rewards program. These offer prizes up to $500,000 USD (about $664,250 CAD). It includes exploits like data exfiltration and lock screen bypass.
Android Security Rewards launched back in 2015 and over the last four years, Google paid out over $4 million USD (roughly $5.32 million CAD) in rewards. 2019 alone saw a total of $1.5 million USD in payouts, and Google awarded an average bounty of over $15,000 USD (or $19,932 CAD) per researcher. The largest single reward the company gave out this year was for $161,337 USD (about $214,384 CAD) for the first reported ‘one-click remote code execution exploit chain on the Pixel 3 device.’
You can learn more about the Android Security Reward Program here.
Source: The Verge