informa
3 min read
article

Google Offers $1.5M Bug Bounty for Android 13 Beta

The security vulnerability payout set bug hunters rejoicing, but claiming the reward is much, much easier said than done.

Google has expanded its bug-bounty program to offer a whopping $1.5 million for a top-notch Android 13 Beta exploit – specifically, for a hack of the Titan M security chip that ships with Pixel phones.

Android 13 Beta became available last week to developers and early adopters, with Google promising an outsized focus on privacy and security. It apparently aims to deliver in that department, if the bounty bump is any indication.

The Internet giant announced a 50% bonus for all Android 13 Beta exploits on Twitter and updated its Android program page to reflect the offer, adding an important caveat: "Vulnerabilities must be exclusive to Android 13 and must not reproduce on any other version of Android," it noted.

To take advantage of the largess, bug hunters will need to set off on safari soon: The increased rewards are only good for reports filed before May 27.

Putting the $1.5M Payout into Context
For a sense of perspective on that payout number, it's worth noting that $1.5 million is exponentially larger than the highest-ever bounty for an Android vulnerability, which was paid last year — $157,000 for a critical exploit chain in an unspecified component. It's also half the amount paid out in the entirety of 2021 for Android flaws ($3 million total, across hundreds of exploits), and roughly equal to the sum total of payouts in 2020. So, this is a lot of love for one bug.

That said, the likelihood of seeing a payout that size is a long shot. That's because it would be connected to the last time Google dabbled in big-bucks territory: In 2019, it began offering $1 million to anyone who could hack the Titan M security chip, which is embedded in Google Pixel smartphones. Specifically, it requires a "full chain remote code execution exploit with persistence, which compromises the Titan M secure element on Pixel devices."

But so far, that reward has gone unclaimed. Thus, to reel in the $1.5 million on offer, an ethical hacker would need to not only subvert the never-subverted Titan M, but also make sure the exploit works on Android 13 Beta – and only on Android 13 Beta.

The difficulty scale hasn't deterred some. As one bounty hunter tweeted, "BRB going to sell my soul to the hacker gods to get a full remote code execution exploit chain on the Titan M."

All Android 13 Beta Exploits Get a Bump
Google's other rewards for finding an exploitable security vulnerability in Android are also subject to the 50% bonus for Android 13 Beta. Those run anywhere from $75,000 (for a Device Policy Controller bypass or code execution in a privileged process) to $500,000 (for exfiltrating high-value data secured by Titan M). Most rewards clock in at $250,000.

OEM code (libraries and drivers), Digital Car Keys, kernel, boot-loader, Secure Element code, TrustZone OS and apps, system on chip (SoC), MicroController Unit (MCU), Boot ROM, RAM memory, Flash memory, filesystem, Trusted Execution Environment (TEE), radio units, etc., are all considered eligible targets.