New Android Bug Bounty Scheme

Written by Alex Armstrong

Tuesday, 23 June 2015

Google has initiated Android Security Rewards covering vulnerabilities discovered in the latest available Android versions for Nexus phones and tablets currently available for sale in the Google Store in the U.S.

Bug hunting can be lucrative work. Google already has a Vulnerability Reward Program covering its web properties, a scheme for bugs in Chrome and a Patch reward scheme covering open source projects including Android. The new program focuses on new Android devices and is currently restricted to the Nexus 6 and Nexus 9.

NEXUS

As well as being geographically limited to the United States another restriction is that the new program is only for bugs in code that that isn't covered by these other Google reward programs.To clarify what is covered the announcement states:

Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

As with other bug bounty schemes, the amount of the reward depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward as indicated in this table:

Severity	Bug	Test case	CTS / patch	CTS+Patch
Critical	$2,000	$3,000	$4,000	$8,000
High	$1,000	$1,500	$2,000	$4,000
Moderate	$500	$750	$1,000	$2,000
Low	$0	$333	$500	$1,000

Google also offers additional rewards for functional exploits:

An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.
An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.

The amount paid out is at the discretion of the reward panel resulting in a higher or lower pay out than expected. Google also recognizes that some security researchers are not interested in money and provides the option to donate a reward to an established charity, in which case the donation could be doubled at Google's discretion.

Among the rules that apply with regard to all Google's vulnerability rewards schemes are that only the first report of a specific vulnerability will be rewarded and that bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward.

androiddevicon

More Information

Android Security Rewards Program Rules

Google Increases Maximum Bounty For Chrome Bugs

Google Extends Patch Reward

Navy Solicits Vulnerabilities

Google Offers Cash For Security Patches

Google Announces More Cash For Security Bugs

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Kotlin Ktor Improves Client-Server Support
04/11/2024

Kotlin Ktor 3 is now available with better performance and improvements including support for server-sent events and CSRF (Cross-Site Request Forgery) protection.

+ Full Story

Extend NGINX With The New JavaScript Module
28/10/2024

Inject middleware functionality into NGINX with the expressive power of Javascript. NGINX JavaScript or NJS for short is a dynamic module under which you can use scripting for hooking into the NGINX e [ ... ]

+ Full Story

More News

Comments

or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 13 February 2020 )

More Information

Related Articles

Comments