When Google first introduced its bug bounty program for Android, the biggest reward you could get for finding and reporting a potential exploit was $38,000.
The cap grew over time, as Android grew in popularity, more security researchers got on board, and more vulnerabilities were unearthed. This morning, Google is bumping its top reward up to $1.5 million dollars.
They’re not going to pay out a million+ for just any bug, of course.
For this new reward category, Google is looking for “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices”. In other words, they’re looking for an exploit that, without the attacker having physical access to the device, can execute code even after a device is reset and breaks into the dedicated security chip built into the Pixels.
Reporting an exploit that fits that bill will get researchers up to $1M. If they can do it on “specific developer preview versions” of Android, meanwhile, there’s a 50% bonus reward, bumping the maximum prize up to $1.5M.
Google first introduced the Titan M security chip with the Pixel 3. As Google outlines here, the chip’s job is essentially to supervise; it double checks boot conditions, verifies firmware signatures, handles lock screen passcodes, and tries to keep malicious apps from forcing your device to roll back to “older, potentially vulnerable” builds of Android. The same chip can be found in the Pixel 4 line-up.
$1.5 million for a single exploit sounds like a lot… and it is. It’s roughly what Google paid out for all bug bounties in the last 12 months. The top reward this year, the company says, was $161,337 for a “1-click remote code execution exploit chain on the Pixel 3 device”. Average payout, meanwhile, was about $3,800 per finding. Given the potential severity of persistently busting through the security chip on what’s meant to be the flagship form of Android, though, a wild payout makes sense.