Launched in 2015, Google today is expanding its Android Security Rewards Program with a new Pixel Titan M prize, and detailing highlights from the past year.
The big development is a new $1 million top prize for a full chain remote code execution exploit with persistence of the Titan M secure element found on the Pixel 3, Pixel 3a, and Pixel 4. Google’s custom-built enterprise-grade security chip introduced last year secures the bootloader and protects on-device data.
Similarly, a new exploit category that includes data exfiltration and lockscreen bypass has rewards that go up to $500,000.
Google will also offer a 50% bonus for exploits found on specific Android developer preview versions that usually start in March and last until August/September. As a result, the top prize is now valued at $1.5 million. The Pixel Titan M prize and other new rewards come into effect today, with full details available here.
Looking back at 2019, the program paid out over $1.5 million, with 100 participating researchers having received an average of $3,800 per finding. The average researcher was paid over $15,000 for a 20% increase from the year prior.
The top payout this year of $161,337 involved a 1-click remote code execution exploit chain on the Pixel 3:
This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337. The $201,337 combined reward is also the highest reward for a single exploit chain across all Google VRP programs. The Chrome vulnerabilities leveraged in this report were fixed in Chrome 77.0.3865.75 and released in September, protecting users against this exploit chain.
FTC: We use income earning auto affiliate links. More.