As part of their security program that aims to track, find and fix security holes in their products, Google pays developers who reports issues. Today, Google has announced they’re expanding their Security Rewards Program to Android.
The new program will be looking for vulnerabilities which affect Google Android devices for sale in the online Google Store in the US – specifically the Nexus 6 and Nexus 9 – although this will expand over time as Google announces new devices. What is Google looking for? In Google’s wordsd :
What this doesn’t cover however is bugs or vulnerabilities in custom ROMS that proliferate for Nexus devices.
So, if you find a bug that is eligible, what’s it worth? The reward amount is based on the severity of the vulnerability, as well as if you simply report the bug, report the bug in a well researched way, or report the bug and provide a CTS patch. There’s various reward multipliers from 1.5x to 4x the normal rewards, as well as bonuses of between $20,000 to $30,000 for targeted attacks which compromise ASLR, NX and the sandboxing that Google has setup for Android to protect users, but as a general rule, the payment system looks something like this:
| Severity | Bug | Test case | CTS / patch | CTS+Patch |
|---|---|---|---|---|
| Critical | $2,000 | $3,000 | $4,000 | $8,000 |
| High | $1,000 | $1,500 | $2,000 | $4,000 |
| Moderate | $500 | $750 | $1,000 | $2,000 |
| Low | $0 | $333 | $500 | $1,000 |
Under their ‘Project Zero’, Google has given themselves (and other companies involved) up to 90 days to patch the vulnerabilities before going public.
If you’re into looking at Google Code and have some issues you’d like to report, Google wants to hear about them. For more information on how to report vulnerabilities, or rewards head to the Android Security Rewards support page for more information.
Well since Google have no control over custom ROM’s is would be rather silly of them to pay out bug bounties on them.