Google has announced a significant expansion of its Android Security Rewards (ASR) program, which is used to reward security researchers who manage to find vulnerabilities in the companies’ various products.
A top prize of $1 million is now on the table for any security researcher who can compromise the Titan M secure element on Pixel devices with a full chain remote code execution exploit. While the prize is already impressive, Google added a 50% bonus if the researcher manages to identify exploits on upcoming versions of the Android operating system.
Phones can be compromised in multiple ways, and not all exploits or vulnerabilities relate to the core of the OS or to the Titam M chip. Google will also offer rewards up to $500,000, depending on the discovery, for data exfiltration and lockscreen bypass.
“In 2019, Gartner rated the Pixel 3 with Titan M as having the most ‘strong’ ratings in the built-in security section out of all devices evaluated,” said Jessica Lin from the Android Security Team.
“This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.”
The Android Security Rewards (ASR) program has been highly lucrative in the past, and Google has paid over $1.5 million in the past year alone. In total, over 100 security researchers earned an average of $3,800 per finding. The top reward paid in 2019 was $161,337, which only underlines the massive increase in the payment system.