Google has announced a significant expansion of its Android
Security Rewards (ASR) program, which is used to reward security researchers
who manage to find vulnerabilities in the companies’ various products.
A top prize of $1 million is now on the table for any
security researcher who can compromise the Titan M secure element on Pixel
devices with a full chain remote code execution exploit. While the prize is already
impressive, Google added a 50% bonus if the researcher manages to identify
exploits on upcoming versions of the Android operating system.
Phones can be compromised in multiple ways, and not all
exploits or vulnerabilities relate to the core of the OS or to the Titam M
chip. Google will also offer rewards up to $500,000, depending on the
discovery, for data exfiltration and lockscreen bypass.
“In 2019, Gartner rated the Pixel 3 with Titan M as
having the most ‘strong’ ratings in the built-in security section out of all
devices evaluated,” said Jessica Lin from the Android Security Team.
“This is why we’ve created a dedicated prize to reward
researchers for exploits found to circumvent the secure elements protections.”
The Android Security Rewards (ASR) program has been highly lucrative in the past, and Google has paid over $1.5 million in the past year alone. In total, over 100 security researchers earned an average of $3,800 per finding. The top reward paid in 2019 was $161,337, which only underlines the massive increase in the payment system.