Google's Android Bug Bounty Balloons To $1.5 Million Max Payout

android couple
Google's Android bug bounty program has come a long way since its humble roots back in mid-2015. At the time, the search and software giant offered a maximum payout of $38,000 for specific exploits that compromised the world's most popular operating system. Today, Google has announced that its maximum payout now weighs in at up to a staggering $1.5 million if certain exploit conditions are met.

Google previously offered payouts that maxed out at $200,000, but the new "baseline" top prize is $1 million. The $1.5 million maximum payout is achieved with a $500,000 bonus that will likely be incredibly tough to pull off.

The purpose of the bug bounty is to help beef up the security of both its first-party Pixel hardware and the Android operating system as a whole. Android in particular has been a common target for hackers -- we recently covered an exploit that leverages the Google Camera app -- so it should come as no surprise that Google wasn't to make sure that its hardware and software is as secure as possible.

google pixel 4 xl front

As of today, the Android bug bounty covers the following devices:

  • Pixel 4 and Pixel 4 XL
  • Pixel 3a and Pixel 3a XL
  • Pixel 3 and Pixel 3 XL
  • Pixel 2 and Pixel 2 XL

However, the new $1.5 million top prize is reserved for Pixel 3/Pixel 3 XL and newer devices as they feature Google's Titan M security chip. Titan M is responsible for securing the bootloader, on-device encryption, lock screen protection, and generating (and storing) private keys for apps.

As Google explains, the "Top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices." If that exploit chain is then combined with exploits in "specific developer preview versions of Android", a 50 percent bonus is enacted, which brings the total to the aforementioned $1.5 million.

According to Google, it has paid over $1.5 million to researchers over the past year for discovering exploits via its bug bounty program. The highest payout to-date weighs in at $201,337 and it was awarded to a member of the Alpha Lab division of Qihoo 360 Technology.

Show comments blog comments powered by Disqus