Google has been making its security reward program pursuing the goal to make their product safer for everyone since 2010. Last year they invested more than 1.5 million dollars for security researchers that found vulnerabilities in Chrome and other Google Products.
On June 16, Jon Larimer, Android Security Engineer, came up with an announcement in a blog post that the Company is expanding their program. Android Security Rewards Program will include researchers that will find, fix, and keep vulnerabilities out of Android, specifically.
Through this program, they provide financial rewards and public recognition for vulnerabilities revealed to the Android Security Team. The compensation level is based on the bug harshness and boosts for higher quality reports that include reproduction code, test cases, and patches.
Products Included in the Reward Program
The company starts the project covering security vulnerabilities discovered in the latest available Android versions. The Nexus 6 and Nexus 9 phones, tablets that are available in Google Play Store in the U.S. are enlisted. The pack of devices included will change its scope over time. Furthermore, this step takes Nexus in the foreground of mobile devices to offer an ongoing vulnerability rewards program.
Android Security Rewards cover eligible bugs in the code include those in AOSP code, OEM code, the essence, and the TrustZone OS and modules. The program is relevant to codes of suitable devices, and Google does not cover it by other reward programs. Vulnerabilities in other non-Android code may be eligible if they impact the security of the Android OS.
Vulnerabilities that only act upon other Google devices such as Nexus Player, Project Tango, or Android Wear are not eligible for Android Security Rewards.
Qualifying Vulnerabilities Covered
Getting a reward of vulnerability report demands fulfilling a few rules:
- Only the first report of a particular vulnerability will be rewarded.
- Bugs initially made public, or to a third-party for objectives other than fixing the bug, will typically not qualify for a reward. Google gives courage to the responsible announcement and believes a responsible statement is a bidirectional thing.
→“It’s our duty to fix serious bugs within a reasonable time frame,” Google Company states in a blog post.
A Few Classes of Vulnerabilities Are Not Qualifed for a Reward:
- Phishing attacks that involve tricking the user into entering credentials. In other words, problems that require complex user interaction.
- Attacks that include tricking the user into tapping an UI element as Tap-jacking and UI-redressing.
- Issues that require debugging access (ADB) to the device or only affect user debug builds.
- Bugs that cause an app to crash.
Defining the Reward Amount
Google will pay for each step fulfilled to fix a security bug: $500 for moderate harshness; $1,000 for high; and $2,000 for critical. Those who invest in patches and tests will be eligible for an even bigger payday: upwards of $8,000 for a CTS test to detect a key issue and a patch to fix it.
In conclusion, the Google team declares that they will keep on investigating, working and investing in ensuant researches to find vulnerabilities in Android.