Google recently confirmed that the total bounty for its Android Security Rewards program would be expanded, with rewards reaching up to $1.5 million. The company said that if you happen to find a security bug that can compromise the Titan M secure element used in its Pixel 3 handsets, you’ll be rewarded with $1 million.
Though if you find a bug that can be replicated on specific developer preview versions of Android, you’re entitled to a 50 per cent bonus, implying the total bounty reaches a staggering $1.5 million. Put simply, if you happen to find a security bug that meets these requirements, you’ll be rewarded with one of the biggest bounties in the industry.
“In 2019 Gartner rated the Pixel 3 with Titan M as having the most ‘strong’ ratings in the built-in security section out of all devices evaluated. This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections,” said Jessica Lin from the Android security team in a blog post. “
Google explained that the bug report must reveal a full chain remote code execution exploit with persistence which compromises the Titan M secure element available on Pixel 3 devices. On the other hand, lock screen bypass and data exfiltration will be rewarded with a maximum of $500,000.
Launched back in 2015, the Android Security Rewards program is a bug bounty program where white hat hackers receive rewards for finding bugs in Google’s Android OS. The company claims it has paid more than $ 4 million in rewards based on 1800 reports, since the program’s introduction four ago. Besides, Google also added that the company has given away more than $1.5 million in the last 12 months, with top reward this year reaching $161,337.
“Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher!” Lin added.
It’s also worth noting that the changes in bounty program have already gone live on November 21, 2019. You can find more details about the Android Security Rewards Program rules here.
