Google will match Apple in how much it will pay researchers who discover a hack that allows for remote control of its smartphones. It comes at a time when tech giants are in an arms race with private marketplaces and governments offering major returns for unique hacks.
Announced Thursday, the $1 million offer is for anyone who can show off a unique attack on its Pixel 3 and 4 phones, as long as they allow for persistent access to the device. Anyone hoping to receive the reward will have to break Google’s Titan M “secure element.” Similar to Apple’s iPhone Secure Element, Titan M is a security chip that acts as a kind of guardian for device data. It will, for instance, look out for hackers trying to load malware when an Android phone is turned on and will secure app passwords.
Google is also offering up to $1.5 million for exploits found on developer preview versions of Android. Rewards for successful hacks of those versions will be given a 50% bonus. Again, Apple announced something similar back in August. “Since [Android] Q was just released, we would be rolling this out on select developer preview builds for the next version of Android,” explained Jessica Lin from the Android security team.
Rewards of up to $500,000 are also on offer for specific attacks that result in data theft and lockscreen bypass. Benevolent hackers can find out how much they can earn via Google’s updated Android Security Rewards Program Rules page. Again, this will be limited to Pixel phones running the latest version of Android.
The program goes live today. But anyone hoping their already submitted bugs are in line for increased rewards is out of luck: Google will only give out the bigger bounties for research disclosed from November 21 onwards.
Bug bounties get much bigger
Major tech companies across the world are offering bigger payouts to those who can help them improve the security of their devices by hacking them. Google said it has handed out $1.5 million to researchers in the last 12 months. The most it has given to a single researcher was for a one-click hack of a Pixel 3 created by Guang Gong. He was awarded $161,337 from the Android Security Rewards program and $40,000 by the separate Chrome Rewards initiative for a total of $201,337.
Just earlier this week, Forbes reported on Huawei’s own bug bounty, which had briefly outdone Google in offering $220,000 for a remote control hack of its many Android devices. Google previously offered a top award of $200,000.
Google didn’t offer any motivations for the massively increased bounty in a blog post outlining the updates yesterday. When asked about them, Android security and privacy communications manager Scott Westover told Forbes: “We think the Android Security Rewards program has proven to be a huge benefit to the community, so we want to continue to incentivize the best researchers in the world to participate.”
Apple’s recent announcement may have provided motivation. But the increasingly profitable private exploit market, in which millions are on offer for single hacks, might have provided another incentive. That industry, full of boutique outfits like Zerodium and Crowdfense, typically pays researchers more than tech vendors, selling their findings to customers, often governments.
The attacks could be reused for military or intelligence purposes, or for defensive measures. But as digital rights bodies have repeatedly pointed out, not disclosing to vendors means they can’t patch, leaving billions of users vulnerable.
French researcher Robert Baptiste told Forbes that while some hackers would continue to sell to governments and their contractors, Google’s announcement sent “a very positive signal for the information security community and security in general.”