Google's Android Bug Bounty Balloons To $1.5 Million Max Payout
Google previously offered payouts that maxed out at $200,000, but the new "baseline" top prize is $1 million. The $1.5 million maximum payout is achieved with a $500,000 bonus that will likely be incredibly tough to pull off.
The purpose of the bug bounty is to help beef up the security of both its first-party Pixel hardware and the Android operating system as a whole. Android in particular has been a common target for hackers -- we recently covered an exploit that leverages the Google Camera app -- so it should come as no surprise that Google wasn't to make sure that its hardware and software is as secure as possible.
As of today, the Android bug bounty covers the following devices:
- Pixel 4 and Pixel 4 XL
- Pixel 3a and Pixel 3a XL
- Pixel 3 and Pixel 3 XL
- Pixel 2 and Pixel 2 XL
However, the new $1.5 million top prize is reserved for Pixel 3/Pixel 3 XL and newer devices as they feature Google's Titan M security chip. Titan M is responsible for securing the bootloader, on-device encryption, lock screen protection, and generating (and storing) private keys for apps.
As Google explains, the "Top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices." If that exploit chain is then combined with exploits in "specific developer preview versions of Android", a 50 percent bonus is enacted, which brings the total to the aforementioned $1.5 million.
According to Google, it has paid over $1.5 million to researchers over the past year for discovering exploits via its bug bounty program. The highest payout to-date weighs in at $201,337 and it was awarded to a member of the Alpha Lab division of Qihoo 360 Technology.