Google doubles down on Android security with an upgraded bug bounty program

Google Titan Security Key
Google Titan Security Key (Image credit: Android Central)

What you need to know

  • Google is expanding the Android Security Rewards program.
  • The biggest possible bug bounty under the program is now $1.5 million.
  • There are also other new types of prizes, relating to data exfiltration and lock screen bypass, which go up to $500,000.

Google's bug bounty program for Android, known as Android Security Rewards, has given out over $4 million in the four years since its launch, comprising of more than 1,800 individual reports. The company now wants to build on that success by expanding the program and adding higher-yield rewards to entice more researchers to probe the company's existing security architecture.

The most substantial reward under the program now relates to the company's integrated security chip for its Pixel line of smartphones — the Titan M — which it says has accorded the Pixel 3 the privilege of having the strong rating for built-in security among the current crop of flagship devices. Any researchers that can demonstrate "a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices" will be eligible for a $1 million payday.

That number — alongside other possible rewards — can be further augmented by 50% if the exploit can be replicated on specific developer preview versions of the OS. All in all, that means the largest possible reward for the program is now a whopping $1.5 million. Given that this is likely a rather niche target — and may be particularly difficult to achieve, given Google's confidence in the Titan M chip — the company is also offering a variety of new rewards for other types of vulnerabilities relating to data exfiltration and lock screen bypass. These can go up to $500,000 per report, based on the nature of the exploit. The specifics of these may be found here.

The changes to the program, which has paid out a combined $1.5 million to more than 100 different researchers within the last year, are set to go live on November 21, 2019. Any bounties reported after this date will be based on the new rules. Unfortunately, however, if you discovered and reported an exploit before this date, you will be paid based on the previous scale.

Muhammad Jarir Kanji