Calling all bug hunters: Google has announced that it will pay a cash reward of up to $1.5 million to anyone who can outsmart its new Titan M security chip, which is used in the Pixel 3 and Pixel 4 smartphones for processing encryption, lock-screen protections, secure transactions, and other sensitive processes. Those who manage to find a “full chain remote code execution exploit with persistence” get a cool $1M, while an exploit chain that works against a preview version of Android OS gets the top $1.5M prize.

Today’s announcement comes as Google also increased bug bounty payouts across the board for the entire Android Vulnerability Rewards Program (VRP). Until today, the maximum vulnerability payout was $200,000 for “a remote exploit chain leading to a TrustZone or Verified Boot compromise.” Since the Android VRP’s launch in 2015, nobody has earned this top reward, and chances are low that no one will be able to hack Android running on a Titan M chip either.

Discussion