Google Offers Bug Bounty Up to $1.5 Million
Written by Alex Armstrong   
Monday, 25 November 2019

Google has announced a new bug bounty of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. This can be boosted to $1.5 million for exploits found on specific developer preview versions of Android.

If you want the exploit explained without the security jargon - Google is prepared to pay up if the hacker gains access to a Pixel's operating system remotely in a way that doesn't require any interaction with the phone's user.pixel4

Explaining Google's decision to offer such a large reward, Jessica Lin of the Android Security Team points out that earlier this year Gartner rated the Pixel 3 with Titan M as having the most “strong” ratings in the built-in security section out of all devices evaluated, noting:

This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.

Two other categories of exploits have been added to to the rewards program, which was first introduced in 2015, see New Android Bug Bounty Scheme. Data exfiltration of high value data secured by Pixel Titan M can be rewarded  with a bounty up to $500,000, while up to $250,000 is on offer for high value data secured by a Secure Element. Up to $100,000 is available for lockscreen bypass exploits achieved via software that would affect multiple or all devices. These amounts don't take into account the 50% bonus for exploits revealed at developer preview stage.

In the same blog post, Lin revealed that the Android Reward Program paid out a total of over $1.5 million to security research in the last 12 months and that:

  • Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means [Google] paid out over $15,000 (20% increase from last year) per researcher!

She also reported that the largest single reward in 2019 was $161,337. This was for a report from Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd. which detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. In addition Guang Gong was awarded $40,000 by Chrome Rewards program. The $201,337 combined reward was the highest reward for a single exploit chain across all Google VRP (Vulnerability Report Program) programs.  

androidlogo 

More Information

Expanding the Android Security Rewards Program

Android Security Rewards Program Rules

Bug Hunter University

Related Articles

Google Increases Android Bug Rewards

New Android Bug Bounty Scheme

Google Extends Bug Bounty To Third Party Apps

EU Bug Bounty - Software Security as a Civil Right 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


TypeScript 5.6 Tightens Truthy And Nullish Checks
16/09/2024

TypeScript 5.6 has been released. The update has better handling of truthy and nullish checks and new iterator helper methods.



GitHub Launches Enterprise Data Residency
30/09/2024

GitHub has announced an option offering tighter control over where data is stored to meet regional requirements. The GitHub Enterprise Cloud data residency feature will launch on October 29 for the Eu [ ... ]


More News

kotlin book

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Monday, 25 November 2019 )