New Android Bug Bounty Scheme
New Android Bug Bounty Scheme
Written by Alex Armstrong   
Tuesday, 23 June 2015

Google has initiated Android Security Rewards covering vulnerabilities discovered in the latest available Android versions for Nexus phones and tablets currently available for sale in the Google Store in the U.S.

Bug hunting can be lucrative work. Google already has a Vulnerability Reward Program covering its web properties, a scheme for bugs in Chrome and a Patch reward scheme covering open source projects including Android. The new program focuses on new Android devices and is currently restricted to the Nexus 6 and Nexus 9.

 

NEXUS

 

As well as being geographically limited to the United States another restriction is that the new program is only for bugs in code that that isn't covered by these other Google reward programs.To clarify what is covered the announcement states:

Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

As with other bug bounty schemes, the amount of the reward depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward as indicated in this table:

 

Severity Bug Test case CTS / patch CTS+Patch
Critical $2,000 $3,000 $4,000 $8,000
High $1,000 $1,500 $2,000 $4,000
Moderate $500 $750 $1,000 $2,000
Low $0 $333 $500 $1,000

 

Google also offers additional rewards for functional exploits: 

  • An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.

  • An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.

 

The amount paid out is at the discretion of the reward panel resulting in a higher or lower pay out than expected. Google also recognizes that some security researchers are not interested in money and provides the option to donate a reward to an established charity, in which case the donation could be doubled at Google's discretion. 

Among the rules that apply with regard to all Google's vulnerability rewards schemes are that only the first report of a specific vulnerability will be rewarded and that bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. 

androiddevicon

 

Banner


Microsoft Buys GitHub - Get Ready For a Bigger Devil
04/06/2018

Microsoft has announced a deal to acquire GitHub valued at $7.5 billion. Microsoft vice president Nat Friedman, formerly CEO of Xamarin, will become GitHub CEO, taking over from GitHub's founder Chris [ ... ]



Atom v Visual Studio Code - The Unexpected Consequence Of Consolidation
14/06/2018

OK, so you got upset about Microsoft taking over GitHub, but after a lot of reassurance you can see that commercial interests mean that Microsoft isn't going to trash GitHub - well not at first. But w [ ... ]


More News

 

justjsquare

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Tuesday, 23 June 2015 )
 
 

   
Banner
Banner
RSS feed of news items only
I Programmer News
Copyright © 2018 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.