Google recently expanded its bug bounty program, offering a bounty of up to $1.5 million for Android 13 Beta vulnerabilities. Last week, the Android 13 Beta began to open to developers and early adaptors, and Google promised that the new version will focus on privacy and security issues.
Google tweeted that all Android 13 Beta exploits would receive an additional 50% bounty, and explicitly mentioned it on the Android project page. However, the page also adds an important note: “The vulnerability must be unique to the Android 13 system and must not be reproduced on other versions of Android.”
However, this bug bounty program is also time-limited, and additional rewards are limited to bug reports provided before May 27. From this bounty number perspective, it’s worth noting that $1.5 million is significantly larger than the highest-ever Android bug bounty paid last year — $157,000 for a chain of critical vulnerabilities in an unspecified component.
In 2019, it began offering $1 million to anyone who could hack into the Titan M security chip, which is built into Pixel smartphones. Specifically, it requires a “persistent, full-chain remote code execution vulnerability that compromises the Titan M secure element on Pixel devices.”
But so far, no one has claimed this reward. So to get the $1.5 million bounties, an ethical hacker would need to not only subvert the Titan M, which has never been subverted but also make sure the bug works on Android 13 betas — and only on Android 13 betas.