Google has announced a new bug bounty of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. This can be boosted to $1.5 million for exploits found on specific developer preview versions of Android.

If you want the exploit explained without the security jargon - Google is prepared to pay up if the hacker gains access to a Pixel's operating system remotely in a way that doesn't require any interaction with the phone's user.

Explaining Google's decision to offer such a large reward, Jessica Lin of the Android Security Team points out that earlier this year Gartner rated the Pixel 3 with Titan M as having the most “strong” ratings in the built-in security section out of all devices evaluated, noting:

This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.

Two other categories of exploits have been added to to the rewards program, which was first introduced in 2015, see New Android Bug Bounty Scheme. Data exfiltration of high value data secured by Pixel Titan M can be rewarded  with a bounty up to $500,000, while up to $250,000 is on offer for high value data secured by a Secure Element. Up to $100,000 is available for lockscreen bypass exploits achieved via software that would affect multiple or all devices. These amounts don't take into account the 50% bonus for exploits revealed at developer preview stage.

In the same blog post, Lin revealed that the Android Reward Program paid out a total of over $1.5 million to security research in the last 12 months and that:

• Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means [Google] paid out over $15,000 (20% increase from last year) per researcher!

She also reported that the largest single reward in 2019 was $161,337. This was for a report from Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd. which detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. In addition Guang Gong was awarded $40,000 by Chrome Rewards program. The $201,337 combined reward was the highest reward for a single exploit chain across all Google VRP (Vulnerability Report Program) programs.  

More Information

Expanding the Android Security Rewards Program

Android Security Rewards Program Rules

Bug Hunter University

Related Articles

Google Increases Android Bug Rewards

New Android Bug Bounty Scheme

Google Extends Bug Bounty To Third Party Apps

EU Bug Bounty - Software Security as a Civil Right 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info