Sunday , October 22 2017

Google launches Security Rewards program for Android

android-security
As part of their security program that aims to track, find and fix security holes in their products, Google pays developers who reports issues. Today, Google has announced they’re expanding their Security Rewards Program to Android.

The new program will be looking for vulnerabilities which affect Google Android devices for sale in the online Google Store in the US – specifically the Nexus 6 and Nexus 9 – although this will expand over time as Google announces new devices. What is Google looking for? In Google’s wordsd :

Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

What this doesn’t cover however is bugs or vulnerabilities in custom ROMS that proliferate for Nexus devices.

So, if you find a bug that is eligible, what’s it worth? The reward amount is based on the severity of the vulnerability, as well as if you simply report the bug, report the bug in a well researched way, or report the bug and provide a CTS patch. There’s various reward multipliers from 1.5x to 4x the normal rewards, as well as bonuses of between $20,000 to $30,000 for targeted attacks which compromise ASLR, NX and the sandboxing that Google has setup for Android to protect users, but as a general rule, the payment system looks something like this:

Severity Bug Test case CTS / patch CTS+Patch
Critical $2,000 $3,000 $4,000 $8,000
High $1,000 $1,500 $2,000 $4,000
Moderate $500 $750 $1,000 $2,000
Low $0 $333 $500 $1,000

Under their ‘Project Zero’, Google has given themselves (and other companies involved) up to 90 days to patch the vulnerabilities before going public.

If you’re into looking at Google Code and have some issues you’d like to report, Google wants to hear about them. For more information on how to report vulnerabilities, or rewards head to the Android Security Rewards support page for more information.

 
Source: Google Online Security Blog, and Android Security Rewards Program.

Daniel Tyson   Editor

Dan is a die-hard Android fan. Some might even call him a lunatic. He's been an Android user since Android was a thing, and if there's a phone that's run Android, chances are he owns it (his Nexus collection is second-to-none) or has used it.

Dan's dedication to Ausdroid is without question, and he has represented us at some of the biggest international events in our industry including Google I/O, Mobile World Congress, CES and IFA.

Join the Ausdroid Conversation

1 Comment on "Google launches Security Rewards program for Android"

avatar
Sort by:   newest | oldest | most voted
Member
Darren

Well since Google have no control over custom ROM’s is would be rather silly of them to pay out bug bounties on them.

wpDiscuz

Check Also

Google search bar gets customisable in a new update

In the latest update to the Google app, rolling out now, a new option to …