Google LLC has thrown more money into the kitty for its Android Security Rewards program, offering payments of up to $1.5 million for anyone who can compromise its Titan M secure element on its Pixel devices.

The program, first launched in 2015, operates as a bug bounty program in which “white hat” hackers — who break into systems to improve their security, in contrast to “black hats” that do it for profit or another nefarious reason — obtain rewards for identifying and informing Google of vulnerabilities in Android software.

The program has paid out more than $4 million based on 1,800 reports in its four years, with more than 100 participating researchers receiving an average reward of more than $3,800 per finding in the last year. The top reward paid out in 2019 was $161,337, making the new bounty the program’s largest yet.

The specific Titan M bounty — $1 million with an additional 50% bonus — is a challenge from Google to hackers to attempt to compromise the secure element. Titan M was first introduced by Google with the Pixel 3 smartphones in 2018 and is an enterprise-grade security chip that secures sensitive on-device data as well as Android itself.

“In 2019 Gartner rated the Pixel 3 with Titan M as having the most ‘strong’ ratings in the built-in security section out of all devices evaluated,” Jessica Lin from the Android security team said today in a blog post. “This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.”

Casey Ellis, chairman, founder and chief technology officer of crowdsourced security firm Bugcrowd Inc., told SiliconANGLE that hackers today have a few options with the bugs they uncover: Do nothing with bugs they find, use the exploits themselves, sell to an offensive buyer or get a job for one, or sell to the defensive buyer or get a job with one.

“When it comes to Google’s updated bug bounty reward program, it’s important to note that similar to Apple’s bug bounty program, the skills needed to find these types of vulnerabilities in Google devices are rare and often tied up in the offensive market — which is why the payout is so high,” Ellis explained. “By upping the incentive to hackers, Google is making bug hunting for them more attractive, especially to those that might teeter the line between white hat and black hat.”

Ellis also said the bounty gives hackers who previously could have sold their discoveries to brokers such as Zerodium or to international governments more incentive to help defend against the issue.

Image: Faruq Hossain/Wikimedia Commons