New Android Bug Bounty Scheme
Written by Alex Armstrong   
Tuesday, 23 June 2015

Google has initiated Android Security Rewards covering vulnerabilities discovered in the latest available Android versions for Nexus phones and tablets currently available for sale in the Google Store in the U.S.

Bug hunting can be lucrative work. Google already has a Vulnerability Reward Program covering its web properties, a scheme for bugs in Chrome and a Patch reward scheme covering open source projects including Android. The new program focuses on new Android devices and is currently restricted to the Nexus 6 and Nexus 9.

 

NEXUS

 

As well as being geographically limited to the United States another restriction is that the new program is only for bugs in code that that isn't covered by these other Google reward programs.To clarify what is covered the announcement states:

Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

As with other bug bounty schemes, the amount of the reward depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward as indicated in this table:

 

Severity Bug Test case CTS / patch CTS+Patch
Critical $2,000 $3,000 $4,000 $8,000
High $1,000 $1,500 $2,000 $4,000
Moderate $500 $750 $1,000 $2,000
Low $0 $333 $500 $1,000

 

Google also offers additional rewards for functional exploits: 

  • An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.

  • An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.

 

The amount paid out is at the discretion of the reward panel resulting in a higher or lower pay out than expected. Google also recognizes that some security researchers are not interested in money and provides the option to donate a reward to an established charity, in which case the donation could be doubled at Google's discretion. 

Among the rules that apply with regard to all Google's vulnerability rewards schemes are that only the first report of a specific vulnerability will be rewarded and that bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. 

androiddevicon

 

Banner


TestSprite Announces End-to-End QA Tool
14/11/2024

TestSprite has announced an early access beta program for its end-to-end QA tool, along with $1.5 million pre-seed funding aimed at accelerating product development, expanding the team, and scaling op [ ... ]



.NET 9 Released
18/11/2024

.NET 9 has been released with a number of performance improvements and new features designed to help developers use AI.


More News
 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 13 February 2020 )