Google now pays up to $1.5 million for Titan M security vulnerabilities on the Pixel
Google created the Android Security Reward program back in 2015 to reward people who find and report Android security issues. Over the years, this program has helped fix thousands of issues, and Google has paid out over $4 million to researchers. Today, the company has announced an expansion of the program and new reward amounts to include Titan M security vulnerabilities on the Pixel.
The Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, and Pixel 4 XL are some of the most secure Android phones on the market. Not only do they get consistent monthly updates, but they also include the Titan M security chip. Google is now introducing a top prize of $1 million in the Android Security Reward program for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.”
That’s not all either. Google will also be launching a program that offers a 50% bonus for exploits found in Android Developer Previews. This means the top prize, theoretically, could be $1.5 million. Google says it added a dedicated prize for the Titan M because the Pixel series has been rated so highly in terms of the built-in security.
On top of the Pixel Titan M payouts, Google is also introducing some other categories of exploits. These new categories include data exfiltration, lock screen bypass, and more, with rewards going up to $500,000. You can read the full details on the Android Security Reward program rules page.
Google shared some year-end stats from the Android Security Reward program as well:
- Total payouts in the last 12 months have been over $1.5 million.
- Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46%
increase from last year). On average, Google paid out over $15,000 (20% increase from last year) per
- The top reward paid out in 2019 was $161,337 to Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd for the first reported 1-click remote code execution exploit
chain on the Pixel 3.