Home / Android / Google will now pay up to $1.5 million for very specific Android exploits

Google will now pay up to $1.5 million for very specific Android exploits


When Google first introduced its bug bounty program for Android, the biggest reward you could get for finding and reporting a potential exploit was $38,000.

The cap grew over time, as Android grew in popularity, more security researchers got on board and more vulnerabilities were unearthed. This morning, Google is bumping up its top reward to $1.5 million dollars.

They’re not going to pay out a million+ for just any bug, of course.

For this new reward category, Google is looking for “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.” In other words, they’re looking for an exploit that, without the attacker having physical access to the device, can execute code even after a device is reset and breaks into the dedicated security chip built into the Pixels.

Reporting an exploit that fits that bill will get researchers up to $1 million. If they can do it on “specific developer preview versions” of Android, meanwhile, there’s a 50% bonus reward, bumping up the maximum prize up to $1.5 million.

Google first introduced the Titan M security chip with the Pixel 3. As Google outlines here, the chip’s job is essentially to supervise; it double-checks boot conditions, verifies firmware signatures, handles lock screen passcodes and tries to keep malicious apps from forcing your device to roll back to “older, potentially vulnerable” builds of Android. The same chip can be found in the Pixel 4 lineup.

Indeed, $1.5 million for a single exploit sounds like a lot… and it is. It’s roughly what Google paid out for all bug bounties in the last 12 months. The top reward this year, the company says, was $161,337 for a “1-click remote code execution exploit chain on the Pixel 3 device.” The average payout, meanwhile, was about $3,800 per finding. Given the potential severity of persistently busting through the security chip on what’s meant to be the flagship form of Android, though, a wild payout makes sense.

Advertisements




Source link

Advertisements

About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

Finally, an official Craigslist app

Advertisements Fancy websites and services come and go, but Craigslist endures. And now one of ...

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements