Google launches Android Security Rewards program

The reason why the program is currently only based on Nexus devices is because it makes it possible for the Android team to verify claims.
The reason why the program is currently only based on Nexus devices is because it makes it possible for the Android team to verify claims.

Bring your own Nexus device, bug bounty hunters. Speaking at Black Hat's Mobile Security Summit in London on Tuesday, Adrian Ludwig, Google's head of Android security, announced the launch of the Android Security Rewards program.

Thousands of dollars can be earned for reporting qualifying vulnerabilities in the latest versions of Android for the Nexus 6 and Nexus 9, and that list of eligible devices should change over time, the program rules website said.

The program is currently only based on the Nexus devices because it makes it possible for the Android team to verify claims, Ludwig told SCMagazine.com in a Tuesday email correspondence.

“Nexus devices include all of the code that is common across the Android ecosystem, direct researcher attention issues that are not specific to a single OEM or vendor,” Ludwig said. “We've also tuned the financial incentives for tests, patches, and exploit mitigation so that the research can provide the broadest benefit to the ecosystem.”

While the base rewards will vary depending on the severity of the bug, a critical vulnerability will typically be worth $2,000, a high-risk vulnerability will be worth $1,000, and a moderate bug will be worth $500. However, the reward will be multiplied depending on the thoroughness of the report.

“We'll reward up to 1.5x the base amount if the bug report includes standalone reproduction code or a standalone test case (e.g., a malformed file),” the website said. “If the bug report includes a patch that fixes the issue or a CTS test that detects the issue, we'll apply up to a 2x reward modifier. If there is both a CTS test and a patch, there's a potential 4x reward modifier.”

That means researchers can earn as much as $8,000 for identifying and reporting a critical bug – and that is not all.

Researchers can earn an additional $10,000 for an exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device, and $20,000 if they go through a remote or proximal attack vector.

Additionally, bug hunters can be rewarded an additional $20,000 for an exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device, and they can earn $30,000 for going through a remote or proximal attack vector.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS