Google's Android Bug Bounty Balloons To $1.5 Million Max Payout

by Brandon Hill — Thursday, November 21, 2019, 12:51 PM EDT

Google's Android bug bounty program has come a long way since its humble roots back in mid-2015. At the time, the search and software giant offered a maximum payout of $38,000 for specific exploits that compromised the world's most popular operating system. Today, Google has announced that its maximum payout now weighs in at up to a staggering $1.5 million if certain exploit conditions are met.

Google previously offered payouts that maxed out at $200,000, but the new "baseline" top prize is $1 million. The $1.5 million maximum payout is achieved with a $500,000 bonus that will likely be incredibly tough to pull off.

The purpose of the bug bounty is to help beef up the security of both its first-party Pixel hardware and the Android operating system as a whole. Android in particular has been a common target for hackers -- we recently covered an exploit that leverages the Google Camera app -- so it should come as no surprise that Google wasn't to make sure that its hardware and software is as secure as possible.

As of today, the Android bug bounty covers the following devices:

Pixel 4 and Pixel 4 XL
Pixel 3a and Pixel 3a XL
Pixel 3 and Pixel 3 XL
Pixel 2 and Pixel 2 XL

However, the new $1.5 million top prize is reserved for Pixel 3/Pixel 3 XL and newer devices as they feature Google's Titan M security chip. Titan M is responsible for securing the bootloader, on-device encryption, lock screen protection, and generating (and storing) private keys for apps.

As Google explains, the "Top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices." If that exploit chain is then combined with exploits in "specific developer preview versions of Android", a 50 percent bonus is enacted, which brings the total to the aforementioned $1.5 million.

According to Google, it has paid over $1.5 million to researchers over the past year for discovering exploits via its bug bounty program. The highest payout to-date weighs in at $201,337 and it was awarded to a member of the Alpha Lab division of Qihoo 360 Technology.

Tags: Android, Google, (nasdaq:goog), bug bounty

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now