, and

As part of their security program that aims to track, find and fix security holes in their products, Google pays developers who reports issues. Today, Google has announced they’re expanding their Security Rewards Program to Android.

The new program will be looking for vulnerabilities which affect Google Android devices for sale in the online Google Store in the US – specifically the Nexus 6 and Nexus 9 – although this will expand over time as Google announces new devices. What is Google looking for? In Google’s wordsd :

Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

What this doesn’t cover however is bugs or vulnerabilities in custom ROMS that proliferate for Nexus devices.

So, if you find a bug that is eligible, what’s it worth? The reward amount is based on the severity of the vulnerability, as well as if you simply report the bug, report the bug in a well researched way, or report the bug and provide a CTS patch. There’s various reward multipliers from 1.5x to 4x the normal rewards, as well as bonuses of between $20,000 to $30,000 for targeted attacks which compromise ASLR, NX and the sandboxing that Google has setup for Android to protect users, but as a general rule, the payment system looks something like this:

Severity Bug Test case CTS / patch CTS+Patch
Critical $2,000 $3,000 $4,000 $8,000
High $1,000 $1,500 $2,000 $4,000
Moderate $500 $750 $1,000 $2,000
Low $0 $333 $500 $1,000

Under their ‘Project Zero’, Google has given themselves (and other companies involved) up to 90 days to patch the vulnerabilities before going public.

If you’re into looking at Google Code and have some issues you’d like to report, Google wants to hear about them. For more information on how to report vulnerabilities, or rewards head to the Android Security Rewards support page for more information.

Source: Google Online Security BlogAndroid Security Rewards Program.
    1 Comment
    Inline Feedbacks
    View all comments
    Darren Ferguson

    Well since Google have no control over custom ROM’s is would be rather silly of them to pay out bug bounties on them.