Published: Fri, November 22, 2019
Electronics | By Kelly Massey

Google's Android bug bounty program will now pay out $1.5 million

Google's Android bug bounty program will now pay out $1.5 million

To tighten the safety of its upcoming version of security chip, Titan M, Google is offering a prize worth one million United States dollars.

Bug bounty programmes are quite common for tech companies where they invite security researchers to point out flaws and bugs in their hardware and software. Given that this is likely a rather niche target - and may be particularly hard to achieve, given Google's confidence in the Titan M chip - the company is also offering a variety of new rewards for other types of vulnerabilities relating to data exfiltration and lock screen bypass.

Google is asking to find out a full chain remote code execution exploit with persistence, meaning a vulnerability that lets cybercriminals exploit a device remotely.

Titan M was first introduced by Google with the Pixel 3 smartphones in 2018 and is an enterprise-grade security chip that secures sensitive on-device data as well as Android itself. Suffice to say, the integrity of Titan M is an important element for the security of Pixel devices recently. "This is why we've created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections". Google has been paying out some people who report security holes in the Chrome browser since 2010, upping its Chrome bug bounty to $30,000 in July this year. Zerodium justified the change in order because Google and Samsung had improved Android security dramatically, while there was a "bunch of 1-click iOS exploits on the market".

China wants US trade deal but 'not afraid' to fight back: Xi
Several Chinese government agencies and numerous state-run media bombarded the White House with harsh criticism after the U.S. Kissinger, 96, said he hoped trade negotiations would provide an opening to political discussions between the two countries.

Ellis also said the bounty gives hackers who previously could have sold their discoveries to brokers such as Zerodium or to global governments more incentive to help defend against the issue. This means the top prize, theoretically, could be $1.5 million. If that exploit chain is then combined with exploits in "specific developer preview versions of Android", a 50 percent bonus is enacted, which brings the total to the aforementioned $1.5 million. The $1.5 million maximum payout is achieved with a $500,000 bonus that will likely be incredibly tough to pull off.

The top reward paid out in 2019 was $161,337 to Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd for a "remote code execution exploit chain on the Pixel 3 device".

"Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year)".

Like this: