Google is expanding its Android Security Rewards (ASR) program with a new Titan M prize. The company is willing to pay as much as $1 million to anyone who can compromise the Titan M security chip found in its Pixel phones, including the Pixel 3, Pixel 3a, and Pixel 4 series phones.
That's not all though, as Google will also offer a 50 percent bonus if someone is able to find an exploit on specific Android developer preview versions. This means the top prize could be $1.5 million. Android developer preview versions usually start in March and last until September.
In addition to the new Titan M prize, Google is also adding other categories of exploits to its rewards program. Exploits involving data exfiltration and lock screen bypass has rewards that go up to $500,000. Full details are available on the Android Security Rewards Program Rules page.
The new rewards take effect starting November 21, 2019. Reports submitted before November 21, 2019, will be rewarded based on the previously existing rewards table.
Android Security Rewards Program
Google launched the ASR program in 2015 to reward people who find and report security issues on Android OS. Over the years, this program has helped Google fix thousands of issues across the Android ecosystem. The company has awarded over 1,800 reports and paid out over four million dollars in the last four years.
The web giant is now willing to pay $1 million for a "full chain remote code execution exploit with persistence" which compromises the Titan M security chip. Introduced in 2018 with the Pixel 3, the Titan M security chip offers multi-layer security of Pixel phones. Titan M is integrated into Verified Boot, Google's secure boot process, to protect devices from outside tampering. The chip also offers lock screen protection, on-device disk encryption, secure transactions in third-party apps, and more.
In the blog post announcing the new prizes, Google also detailed the ASR program highlights from the past year. The company paid out a total of $1.5 million in the last 12 months as part of its bug bounty program. Over 100 participating researchers received an average of $3,800 per finding. "On average, this means we paid out over $15,000 per researcher," Google said.
Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd. received the biggest single reward of $161,337 this year. Guang was rewarded the amount for a "1-click remote code execution exploit chain on the Pixel 3 device." The same security researcher was also rewarded $40,000 by the Chrome Rewards program. The total sum of $201,337 happens to be the highest reward for a single exploit chain across all Google vulnerability reward programs.