Google’s bug bounty program has always raised eyebrows with the huge bounties given to researchers for their exploits. But Google made an eye-popping announcement by declaring a US$1.5 million bug bounty reward for cracking Pixel’s Titan M secure element chip.
What is Titan M?
Titan M is an enterprise-grade security chip custom built for Google’s smartphone brand, Pixel. This chip secures the most sensitive on-device data and operating system. Titan M helps the bootloader (the program that validates and loads Android when the phone turns on)—make sure that the latest Android version is loaded. It stores the last known safe Android version and restricts attackers from moving to an older and potentially vulnerable Android version on the device. Titan M also prevents attackers’ attempts to unlock the bootloader.
The other salient features of Titan M are:
- Lock screen and On-Device Disk Encryption protection
- Secure Third-Party App Transactions
- Insider Attack Resistance
Google Bug Bounty Program
As per official records, Google’s Android bug bounty reward program (better known as Android Security Rewards (ASR) was introduced in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe.
This program covers security vulnerabilities discovered in the latest Android versions for Pixel phones and tablets. The set of devices change over time, but as of November 1, 2019 it covers:
- Pixel 4
- Pixel 3a and Pixel 3a XL
- Pixel 3 and Pixel 3 XL
Google introduced the Titan M chip for the first time in a Pixel 3 device and kept a bounty of US$ 1 million. But none could claim it. Why? Because it comes with an asterisk mark “*”.
The actual reward amount is at the discretion of the rewards committee and depends on several factors, including (but not limited to):
- A detailed writeup describing how the exploit works.
- The initial attack vector (i.e. remote exploitation versus local).
- Whether the exploit is device or build-specific, or whether it works across a broad set of builds and devices.
- The amount of user interaction required for the exploit to work.
- Whether the user could feasibly detect that an exploit is in progress or completed.
- How reliable the exploit is.
- Exploit chains found on specific developer preview versions of Android are eligible for up to an additional 50 percent reward bonus.
Google is determined to work towards cybersecurity and that’s evident from the fact that in 2019 alone it has paid out over US$1.5 million in bug bounty, wherein the top reward pay-out was US$ 161,337.
Also, Google recently launched a new bug bounty program Developer Data Protection Reward Program (DDPRP) and the expansion of Google Play Security Reward Program (GPSRP), which are intended to detect and mitigate data abuse issues in Chrome plugins, Android apps, and OAuth projects.