Google Launches New Android Bug Bounty Program

With the debate continuing over how Android security compares to the security of other mobile platforms, Google is getting more proactive. The mobile operating system maker just launched Android Security Rewards, complete with cash incentives to encourage security researchers to keep digging for -- and reporting -- flaws.

Google will provide both money and public recognition to security researchers who discover and disclose vulnerabilities to the Android Security Team. The actual rewards are based on the severity of the bug that's discovered. The cash reward increases for higher quality reports that include code, test cases, and patches.

EUIn general, we will reward critical, high, and moderate severity vulnerabilities. We may in special cases consider offering rewards for test cases and patches for low-severity vulnerabilities,EU according to Google. EUPatches that don't necessarily fix a vulnerability but provide additional hardening may qualify for Google Patch Rewards.EU

How Much Can You Get?

Just how much cash is Google offering? Typically $2,000 for a critical bug, $1,000 for a high severity bug and $500 for a moderate severity bug. Low severity bugs will not get rewards. But the big money is in discovering functional exploits.

Google is offering an additional $10,000 for an exploit or chain of exploits that leads to kernel compromise either from an installed app or with physical access to the device. Going through a remote or proximal attack vector can get up to an additional $20,000. Also, an exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.

Before you get too excited, Google is strictly narrowing the Android Security Rewards program. At first, it will only cover security vulnerabilities discovered in the latest available Android versions for Nexus phones and...

Comments are closed.