Google expanded its Android Security Rewards Program on Thursday, November 21 with its latest announcement to increase bug bounty rewards for finding and reporting critical vulnerabilities in the Android operating system “introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.”
Google Pixel 3 and Pixel 4 devices are currently part of the Titan M chip. It is a separate chip included in both devices, dedicated exclusively to processing sensitive data and processes, such as Verified Boot, on-device disk authentication, lock screen security, protected transactions, and more.
In fact, there is an extra 50 percent incentive if a security researcher can find an exploit on Android’s unique developer preview versions, resulting in a possible $1.5 million reward.
In specific attacks that result in data theft and lockscreen bypass, incentives of up to $500,000 are also available. Benevolent hackers can learn how much they can receive on the revised Android Security Rewards Program Rules page of Google. Once, this will be limited to the latest version of Android running Pixel phones.
According to the report, even a victim of Google’s persistent security woes was the Titan Security Key itself. After finding a vulnerability that allows attackers to take control of the device in close proximity, the company recalled Bluetooth versions of the device in May.
Google launched the Android Safety Rewards (ASR) system in 2015 for those unaware. Until now, Google’s Bug Bounty Program’s highest reward was just over $200,000.
Google isn’t the only company that offers top dollars for friendly hackers who can find gaps in their protection – Apple revealed in August that it would award $1 million to anyone who can hack a zero-click full chain execution.