|Google Offers Bug Bounty Up to $1.5 Million|
|Written by Alex Armstrong|
|Monday, 25 November 2019|
Google has announced a new bug bounty of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. This can be boosted to $1.5 million for exploits found on specific developer preview versions of Android.
If you want the exploit explained without the security jargon - Google is prepared to pay up if the hacker gains access to a Pixel's operating system remotely in a way that doesn't require any interaction with the phone's user.
Explaining Google's decision to offer such a large reward, Jessica Lin of the Android Security Team points out that earlier this year Gartner rated the Pixel 3 with Titan M as having the most “strong” ratings in the built-in security section out of all devices evaluated, noting:
This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.
Two other categories of exploits have been added to to the rewards program, which was first introduced in 2015, see New Android Bug Bounty Scheme. Data exfiltration of high value data secured by Pixel Titan M can be rewarded with a bounty up to $500,000, while up to $250,000 is on offer for high value data secured by a Secure Element. Up to $100,000 is available for lockscreen bypass exploits achieved via software that would affect multiple or all devices. These amounts don't take into account the 50% bonus for exploits revealed at developer preview stage.
In the same blog post, Lin revealed that the Android Reward Program paid out a total of over $1.5 million to security research in the last 12 months and that:
She also reported that the largest single reward in 2019 was $161,337. This was for a report from Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd. which detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. In addition Guang Gong was awarded $40,000 by Chrome Rewards program. The $201,337 combined reward was the highest reward for a single exploit chain across all Google VRP (Vulnerability Report Program) programs.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Monday, 25 November 2019 )|