Google now offers a US$1 million bounty for Titan M chipset vulnerabilities
Google has updated its Android Security Rewards Program so as to integrate the new Pixel 4 and Pixel 4 XL devices, and to refresh the bounties that are offered for executable vulnerabilities that affect the Titan M security chip found in these phones, as well as in the Pixel 3, 3 XL, 3a and 3a XL. smarphone series.
The Mountain View giant's mobile-OS Security Rewards Program's next highest bounty is for up to half a million US dollars, potentially payable to anyone who can bypass existing safeguards to extract high-value data in the presence of the Titan M platform. It offers up to $250000 for the same secured by a Google Secure Element.
Reports of code-executions that affect such an Element are also potentially valued at the same amount, as are those that target Trusted Execution Environments in Android. In addition, there is also up to $100000 for the ability to identify new methods of impugning a phone's lockscreen.
Those aiming to claim such rewards would be best served by writing them up in full, as well as the ability to define and characterize them properly. This includes criteria such as whether the vulnerability in question is device-agnostic or not; whether the attack vector has been nominated correctly; the exploit's reproducibility and what must be done to take advantage of it.