Google puts million dollar awards on Android bug bounty table

Google has added a reward to researchers who can present a way to compromise its Titan M secure element, used in the company's Pixel devices running Android, worth a million US dollars.

A full-chain remote code exploit with device persistence is required to bring home the bug bounty bacon for researchers under the Android Security Rewards program, active since 2015.

There is also a 50 per cent bonus for exploit chains found on specific preview versions of Android, meaning researchers could earn as much as US$1.5 million for a Titan M exploit.

The Titan M security module protects the Android Verified Boot security feature and stores secrets, prevents fake button presses, enforces factory reset policies and stops unlock attempts without owners' cooperation, as well as forced firmware updates that could be used to access device data.

Google's ASR program will also award up to half a million US dollars for data exfiltration and lockscreen bypass exploits now.

Since its inception, ASR has paid out over four million dollars in reward for over 1800 bug reports.

Qihoo 360's Alpha Lab researcher Guang Gong earnt over US$200,000 for a bug report that featured a one-click remote code execution exploint chain for Pixel 3, from both the ASR and Chrome Rewards programs.