Google offers $1.5m 'prize' for spotting Pixel phone bugs

  • Published
Google Pixel 4 phonesImage source, EPA

Google is raising its "reward" for uncovering security flaws in some of its Android smartphones from $200,000 to a maximum of $1.5m.

The new top "prize" is payable to those who spot bugs in the Titan M security chip in Google's Pixel smartphones, as well as meeting specific criteria.

Google said it had paid out more than $4m to security researchers since 2015.

But security experts have doubts about whether the reward will deter people from making money from criminals.

Other firms, including Apple, Buzzfeed, Facebook and Samsung, also offer rewards for reporting security flaws.

Companies run so-called bug bounty schemes to encourage people to report flaws, so that they can be fixed, rather than selling the exploits to criminals.

Black market

The Titan M security chip in Pixel smartphones is designed to protect the integrity of their operating system and to store biometric data, which is used to unlock the phone.

To claim the $1.5m reward, a researcher would have to find a way to compromise that chip on a device running specific developer preview editions of Android.

However, one expert suggested the increased bounty was unlikely to change behaviour.

"Just like when Apple raised their bug bounty to $1m, Google's move won't compete with the 'black market' [of selling to criminals], which can raise prices any time," said Katie Moussouris, chief executive of Luta Security.

"This price for external research raises questions for retention and recruitment of internal talent meant to prevent flaws."

The BBC also offers a "bug bounty" to security researchers who report problems so that they can be fixed.

However, due to the way the broadcaster is funded by the public it offers a "unique BBC reward" rather than a cash prize.