Google increases maximum bug bounty reward to $1.5 million

Google is increasing the maximum amount for its bug bounty program. Hackers can earn up to $1.5 million from certain discoveries. This concerns bugs in the Titan M chip in the Pixel phones. New categories will also be added to the program.

For that maximum amount, hackers have to find a serious bug. This specifically concerns a vulnerability with which the entire Android system can be taken over from a distance, with persistence so that the vulnerability also remains active, writes Google. That only applies to leaks in the Titan M chip in the Pixel devices. This is a physical Trusted Execution Environment chip on which sensitive data such as passwords, but also the bootloader and disk encryption are stored. Previously, hackers were awarded $200,000 if they could find a vulnerability in this TEE on Pixel phones. Now that will be one million dollars, or about 900,000 euros. On top of that, hackers can get an extra half as a bonus if they find those leaks in certain Android developer previews.

Google has also added some new categories to the bug bounty program. This includes a reward for those who can bypass the lock screen or manage to leak information from the phone. Google references the program’s rules for a complete list of all the vulnerabilities for which hackers can be rewarded.

Google also says in the blog post that the company has handled more than 1,800 bug reports in the past four years and spent more than $4 million on them. One and a half million of these were distributed in the past year. The company’s top award was given to a researcher from Qihoo 360’s Alpha Lab. He was awarded a total of $201,337 or $181,923 for a vulnerability that allowed an attacker to perform remote code execution on a Pixel 3 with a single click.