What you need to know
- Google is expanding the Android Security Rewards program.
- The biggest possible bug bounty under the program is now $1.5 million.
- There are also other new types of prizes, relating to data exfiltration and lock screen bypass, which go up to $500,000.
Google's bug bounty program for Android, known as Android Security Rewards, has given out over $4 million in the four years since its launch, comprising of more than 1,800 individual reports. The company now wants to build on that success by expanding the program and adding higher-yield rewards to entice more researchers to probe the company's existing security architecture.
The most substantial reward under the program now relates to the company's integrated security chip for its Pixel line of smartphones — the Titan M — which it says has accorded the Pixel 3 the privilege of having the strong rating for built-in security among the current crop of flagship devices. Any researchers that can demonstrate "a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices" will be eligible for a $1 million payday.
That number — alongside other possible rewards — can be further augmented by 50% if the exploit can be replicated on specific developer preview versions of the OS. All in all, that means the largest possible reward for the program is now a whopping $1.5 million. Given that this is likely a rather niche target — and may be particularly difficult to achieve, given Google's confidence in the Titan M chip — the company is also offering a variety of new rewards for other types of vulnerabilities relating to data exfiltration and lock screen bypass. These can go up to $500,000 per report, based on the nature of the exploit. The specifics of these may be found here.
The changes to the program, which has paid out a combined $1.5 million to more than 100 different researchers within the last year, are set to go live on November 21, 2019. Any bounties reported after this date will be based on the new rules. Unfortunately, however, if you discovered and reported an exploit before this date, you will be paid based on the previous scale.
We may earn a commission for purchases using our links. Learn more.
It's time to stop using SMS for two-factor authentication
Not all 2FA is equal. Using SMS to get a code might not be "better than nothing" after all.
Fresh Surface Duo renders are here, reportedly coming to AT&T
Microsoft hasn't exactly been camera shy with the Surface Duo, but a new set of renders have leaked that offer an even closer look at the device. Alongside the leaked images, the leaker says Duo will be headed to AT&T in the U.S.
24 hours with the Galaxy Note 20 Ultra: Big, beautiful, and backwards
It's still too early to give any conclusive thoughts on the Galaxy Note 20 Ultra, but Samsung's latest flagship is already proving to be a tremendous phone in more ways than one.
The Xperia 1 is still our favorite phone for shooting video
If video recording is your thing, then look no further than the Sony Xperia 1 — it offers a large screen, three great cameras, and extremely robust manual video controls.