Google has recently announced that the Android Security Rewards (ASR) program launched in 2015 would be expanded with increased rewards, with the top prize now reaching $1.5 million.
In other words, if you come across a security bug that meets certain requirements, you’re eligible for one of the biggest bounties in the industry.
Google says your report must disclose a full chain remote code execution exploit with persistence and affecting the Titan M secure element available on the Pixel smartphone. Such a discovery is rewarded with $1 million, but if the bug is discovered in specific developer preview versions of Android, you get a 50% bonus, which means the total bounty reaches $1.5 million.
Right now, the biggest code execution bounties are the following:
Pixel Titan M | Up to $1,000,000 |
Secure Element | Up to $250,000 |
Trusted Execution Environment | Up to $250,000 |
Kernel | Up to $250,000 |
Privileged Process | Up to $100,000 |
Top payments
On the other hand, if you also come across a high value data secured by Pixel Titan M, you can receive a maximum reward of $500,000.
Google says its Android bounty program is going very well, as the company paid more than $1.5 million in the last 12 months, with the top reward this year being $161,337.
“Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher!” Jessica Lin, Android Security Team, says.
“The highest reward paid out to a member of the research community was for a report from Guang Gong (@oldfresher) of Alpha Lab, Qihoo 360 Technology Co. Ltd. This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337.”
The full Android Security Rewards Program rules are available here.