Google Waving Big Cash: $1.5M Bounty for the Right Bug - Security Boulevard

Google Waving Big Cash: $1.5M Bounty for the Right Bug

If you can find a critical security bug in Google’s new phone security chip, you could make some serious cash-money—especially if you can exploit it on a current developer preview build. La GOOG really wants to find all the vulnerabilities in its Titan M enclave.

There are big bounty bumps for other types of flaw, too. Supposedly, the increases are because Android is so much more secure than iOS.

Wait, what? In today’s SB Blogwatch, we check our preconceived idea.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: AES101.


Make.Money.Fast.

What’s the craic? Catalin Cimpanu reports—“Google will pay bug hunters up to $1.5m if they can hack its Titan M chip”:

 Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4. … It’s a separate chip that’s [dedicated] to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, [and] secure transactions.

The company’s move comes after … private companies that acquired Android exploits had increased payouts for Android bugs to $2.5 million, making it the first time Android bugs were worth more than iOS … on the private market. [That’s] because Android devices had become harder to hack due to the constant flow of security features that Google has added.

Google also increased bug bounty payouts across the board for the entire Android Vulnerability Rewards Program (VRP). … Google is also adding another bug reporting category: … up to $500,000 for bug reports involving data exfiltration and lockscreen bypasses.

And Dan Goodin adds, “Big bump coincides with investments Google has poured into securing its Pixel phone”:

 Google will offer a 50 percent bonus to any of its rewards if the exploit works on specific developer preview versions. … A critical Titan M hack on a developer preview could fetch $1.5 million, and a data exfiltration or lockscreen bypass … could earn $750,000, and so on.

The Titan M is a Google-designed chip that’s … analogous to the Secure Enclave in iPhones. [It] was first introduced in 2018 with the roll out of the Pixel 3.

Ohhh that’s what it is. Cmdln Daco writes to stderr: [You’re fired—Ed.]

 They need a more nichey and elite buzzword term to refer to their chip, like the fruity company does. … Seccer Awnclayve.

Anyhoo, here’s Google’s Jessica Lin—“Expanding the Android Security Rewards Program”:

 Over the past 4 years, we have [rewarded] over 1,800 reports, and paid out over four million dollars. … Total payouts in the last 12 months have been over $1.5 million [with] an average reward amount of over $3,800 per finding (46% increase from last year).

The top reward paid out in 2019 was $161,337 … for a report from Guang Gong. [It] detailed the first reported 1-click remote code execution exploit chain on the Pixel 3.

Happy bug hunting!

But why? JR Raphael explainifies thuswise:

 Any software … is inherently imperfect. That’s the nature of the beast; vulnerabilities are always gonna come up, whether the software is controlled by Google, Samsung, Apple, or anyone else.

That, in fact, is why so many companies actively seek out and sometimes even pay people to hunt for security flaws in their software — so they can find ’em, fix ’em, and continue to strengthen their programs. … It’s a never-ending evolution, and it’s the same story for Google as it is for every major software company.

What ultimately matters is that the company in question responds to issues that are identified and then patches them promptly — ideally before any real damage is done. [Here’s] a strong reminder of just how important it is to have a phone whose manufacturer actually takes security seriously and sends out timely updates.

If you aren’t using a phone whose manufacturer consistently delivers [updates] (and, let’s be honest, there aren’t many device-makers that do), you’re opting yourself in to less-than-optimal security in exchange for, what? Some flashy hardware, maybe, or a brand name you’ve bought into before?

Excellent update-friendly options are readily available for as little as a few hundred bucks.

Imagine how many phones you could buy with $1.5M. Not enough, says Gravis Zero:

 Considering each government agency will pay about that much a single use, I think they should up the bounty to $50M. They have to recognize these are one-off payments where governments are willing to continually shell out money while the hack still works.

But Dilbert has doubts:

 [There’s] that pesky issue of reward from Google is legal income, while selling zero days on the internet is not. … And is a great way to end up with a white van perma-parked outside your house.

Or, instead of finding bugs in Google products, try finding bugs in its bug-tracker. Alex Birsan explains “How I hacked Google’s bug tracking system itself for $15,600 in bounties”:

 The Issue Tracker (internally called Buganizer System) is a tool used … to track bugs and feature requests. … There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. … Let’s break it!

The Ticket Trick … gave me a lot of extra benefits in other places across the internet, including the ability to hitch a ride (for free, maybe?), so it was still a security problem that opened a lot of doors for malicious users. … Bounty: $3,133.

[I] extrapolated a range of a few thousand IDs which should coincide with the latest issues in the database. I then starred them all. … Apparently, I could only eavesdrop on translation-related conversations, where people would debate the best ways to convey the meaning of a phrase in different languages. … Bounty: $5,000.

If you want to see all the cool stuff Google employees can do, you can look for API endpoints. … There was no explicit check that the current user actually had access. … I could now see details about every issue in the database. … Bounty: $7,500.

Meanwhile, Robert Endl foresees an oint in the flyment:

 China will see your $1.5M and raise you.

And Finally:

AES Explained

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Tim Sullivan (cc:0)

Richi Jennings

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 265 posts and counting.See all posts by richi