With the debate continuing over how Android security compares to the security of other mobile platforms, Google is getting more proactive. The mobile operating system maker just launched Android Security Rewards, complete with cash incentives to encourage security researchers to keep digging for — and reporting — flaws.
Google will provide both money and public recognition to security researchers who discover and disclose vulnerabilities to the Android Security Team. The actual rewards are based on the severity of the bug that’s discovered. The cash reward increases for higher quality reports that include code, test cases, and patches.
“In general, we will reward critical, high, and moderate severity vulnerabilities. We may in special cases consider offering rewards for test cases and patches for low-severity vulnerabilities,” according to Google. “Patches that don’t necessarily fix a vulnerability but provide additional hardening may qualify for Google Patch Rewards.”
How Much Can You Get?
Just how much cash is Google offering? Typically $2,000 for a critical bug, $1,000 for a high severity bug and $500 for a moderate severity bug. Low severity bugs will not get rewards. But the big money is in discovering functional exploits.
Google is offering an additional $10,000 for an exploit or chain of exploits that leads to kernel compromise either from an installed app or with physical access to the device. Going through a remote or proximal attack vector can get up to an additional $20,000. Also, an exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.
Before you get too excited, Google is strictly narrowing the Android Security Rewards program. At first, it will only cover security vulnerabilities discovered in the latest available Android versions for Nexus phones and tablets currently selling in the Google Store in the U.S. Right now, that’s only the Nexus 6 and Nexus 9.
Google also made it clear that Android Security Rewards covers bugs in code that isn’t already covered by other reward programs at Google. That limits eligible bug discoveries to AOSP code, OEM code, the kernel, and the TrustZone OS and modules. Google clarified that flaws discovered in other non-Android code, such as the code that runs in chipset firmware, could be allowed if they impact the security of the Android OS.
In terms of rules, only the first report of a specific vulnerability will be rewarded. Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bugs, will typically not qualify for rewards. There’s a list of vulnerability classes that will generally not qualify for rewards, such as bugs that cause apps to crash, on the promotion page.
We asked Lane Thames, security researcher at advanced threat detection firm Tripwire, for his thoughts about the Android Security Rewards program. He told us it’s highly aligned with many other bug bounty programs that currently exist, both in terms of program rules and payouts.
“It’s great to see such a large project as Android, which has significant global market penetration, step up to the game with this type of security program,” Thames said. “Bug bounty programs are becoming more and more common each day, and it is actually becoming a very big business.”
These programs can be profitable for both security researchers and the businesses who offer the bounties, he noted. Security researchers get paid for their time to discover new vulnerabilities without fear of legal issues, and the associated businesses paying bounties for these vulnerability discoveries are actually taking advantage of economies of scale.
“This is especially true for products such as Android that are based on open source software,” Thames said. “Bug bounty programs such as this are definitely win-win.”
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.