With its latest announcement to increase bug bounty rewards for finding and reporting critical vulnerabilities in the Android operating system, Google yesterday set up a new challenging level for hackers that could let them win a bounty of up to $1.5 million.
Starting today, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the tech giant said in a blog post published on Thursday.
Moreover, if someone manages to achieve the same in the developer preview versions of Android, Google will pay an additional $500,000, making the total to $1.5 million—that’s 7.5 times more than the previous top Android reward.
Introduced within the Pixel 3 smartphones last year, Google’s Titan M secure element is a dedicated security chip that sits alongside the main processor, primarily designed to protect devices against the boot-time attacks.
In other words, Titan M chip is a separate hardware component to Android Verified Boot that also takes care of sensitive data, lock-screen passcode verification, factory-reset policies, private keys, and also offers secure API for critical operations like payment and app transactions.
Considering this, it’s usually tough to find a 1-click remote code execution exploit chain on the Pixel 3 and 4 devices, and, until now, only one cybersecurity researcher, Guang Gong of Qihoo 360, has been able to do that.
“Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337,” Google said.
“The $201,337 combined reward is also the highest reward for a single exploit chain across all Google VRP programs.”
Moreover, Google also said the company has paid out a total of $1.5 million in 2019 as part of its bug bounty program, with an average bounty of more than $15,000 per security researcher.
In addition to RCE exploits for Pixel Titan M, Google has also introduced two new categories of exploits to its rewards program—data exfiltration and lockscreen bypass vulnerabilities—which will reward up to $500,000 for depending on the exploit category.
Google’s expanded Android reward program came over two months after third-party exploit vendor Zerodium announced to pay up to $2.5 million for “full chain, zero-click, with persistence” Android zero-days, which was a straight 12x jump from its previous price tag of $200,000.