Google’s android bounty program reward has just shot up. If anyone manages to exploit its Titan M chip on Pixel devices, the company will reward up to over a million to the individual. To be a winner, one has to look for a full chain remote code execution exploit with persistence, which compromises Titan M.
New updates in Google’s bounty program
The bounty program was created in 2015 and until now, it has paid out over $4 million for more than 1,800 vulnerabilities reported since. The single highest reward, however, was over $200,000 in the current year. Google payouts totaled over $1.5 million during the last year.
In the recent announcement, Google declared that it will now offer significantly higher rewards through its Android Security Rewards program.
Other (competitive) bounty reward programs
Zerodium, a leading exploit acquisition platform that claims to provide its services mainly to government organizations, is currently offering up to $2.5 million for an Android exploit chain with persistence and requires no clicks. It pays up to $2 million for an iOS exploit chain that requires one click and offers persistence on the device and $1 Million for chat app exploits affecting WhatsApp, iMessage, or SMS/MMS applications.
Why Titan M is going to be a challenge?
Titan M, a custom-built security chip for Pixel 3, cordons off smartphone’s most sensitive data from its main processor in order to protect it against certain attacks.
Casey Ellis, founder and CTO of Bugcrowd, said Google's bounty has risen because "the skills needed to find these types of vulnerabilities in Google devices are rare and often tied up in the offensive market." "By upping the incentive to hackers, Google is making bug hunting for them more attractive, especially to those that might teeter the line between whitehat and blackhat," Ellise told Silicon Angle.