Google now offers nearly $2 million CAD prize for select Titan M exploits

The new rewards come as part of an expanded Android Security Rewards program

Google logo

Google is cranking up the top prize for its Android bug bounty program and offering $1 million USD (roughly $1.32 million CAD) to anyone who can compromise the Titan M security chip the search giant installs in its Pixel phones.

The new top prize is for a “full chain remote code execution exploit with persistence” of the Titan M security chip. Plus, Google’s offering a 50 percent bonus if a researcher finds an exploit on specific developer preview versions of Android. In other words, the top potential prize is now $1.5 million USD (approximately $1.99 million CAD).

Google first implemented the Titan M security chip with the Pixel 3. The chip acts as a protected area for your smartphone’s most sensitive data that’s separate from the main processor, which helps protect it against certain attacks. For example, Google says Titan M handles on-device protection for login credentials, disk encryption, app data and helps ensure the integrity of the operating system.

Additionally, the chip integrates with Android’s security key functionality and stores a person’s FIDO credentials.

All this is to say that Titan M is a crucial part of Pixel devices’ security. It’s no surprise, then, that Google wants to make sure it’s secure.

Along with the new Titan M rewards, Google also announced several new categories of exploits in the Android Security Rewards program. These offer prizes up to $500,000 USD (about $664,250 CAD). It includes exploits like data exfiltration and lock screen bypass.

Android Security Rewards launched back in 2015 and over the last four years, Google paid out over $4 million USD (roughly $5.32 million CAD) in rewards. 2019 alone saw a total of $1.5 million USD in payouts, and Google awarded an average bounty of over $15,000 USD (or $19,932 CAD) per researcher. The largest single reward the company gave out this year was for $161,337 USD (about $214,384 CAD) for the first reported ‘one-click remote code execution exploit chain on the Pixel 3 device.’

You can learn more about the Android Security Reward Program here.

Source: The Verge