Skip to main content

Google really wants you to hack the Pixel’s Titan M security chip

Google really wants you to hack the Pixel’s Titan M security chip


The company’s bug bounty program boosted to a $1.5 million top prize

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Photo by Vjeran Pavic / The Verge

Google has increased the maximum prize for its Android bug bounty program to $1 million for anyone who can compromise the Titan M security chip found in its Pixel phones. The top prize is for a “full chain remote code execution exploit with persistence” of the dedicated security chip. On top of that, there’s an additional 50 percent bonus if a security researcher is able to find an exploit on specific developer preview versions of Android, resulting in a potential prize of $1.5 million. The new rewards take effect starting today.

Introduced with 2018’s Pixel 3, Google’s Titan M security chip cordons off your smartphone’s most sensitive data from its main processor to protect against certain attacks. Google says the chip offers “on-device protection for login credentials, disk encryption, app data, and the integrity of the operating system.” Since its introduction, the chip has also been integrated with Android’s security key functionality where it’s used to store a person’s FIDO credentials. Suffice it to say, the integrity of the Titan M is an important element for the security of recent Pixel devices.

Google has now paid out over $4 million as part of its Android Security Rewards program

Along with the Titan M reward, Google has also announced a number of new categories of exploits to the Android Security Rewards program, which it launched in 2015. These go up to $500,000 and include exploits involving data exfiltration and lock screen bypass. Full details are available on the program’s rewards page.

Google says it’s paid out a total of $1.5 million in 2019 as part of its bug bounty program for a total of over $4 million over the last four years. In 2019, Google awarded an average bounty of over $15,000 per researcher. The biggest single reward given out this year was $161,337, for the first reported “1-click remote code execution exploit chain on the Pixel 3 device.”