New Android Bug Bounty Scheme
New Android Bug Bounty Scheme
Written by Alex Armstrong   
Tuesday, 23 June 2015

Google has initiated Android Security Rewards covering vulnerabilities discovered in the latest available Android versions for Nexus phones and tablets currently available for sale in the Google Store in the U.S.

Bug hunting can be lucrative work. Google already has a Vulnerability Reward Program covering its web properties, a scheme for bugs in Chrome and a Patch reward scheme covering open source projects including Android. The new program focuses on new Android devices and is currently restricted to the Nexus 6 and Nexus 9.

 

NEXUS

 

As well as being geographically limited to the United States another restriction is that the new program is only for bugs in code that that isn't covered by these other Google reward programs.To clarify what is covered the announcement states:

Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

As with other bug bounty schemes, the amount of the reward depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward as indicated in this table:

 

Severity Bug Test case CTS / patch CTS+Patch
Critical $2,000 $3,000 $4,000 $8,000
High $1,000 $1,500 $2,000 $4,000
Moderate $500 $750 $1,000 $2,000
Low $0 $333 $500 $1,000

 

Google also offers additional rewards for functional exploits: 

  • An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.

  • An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.

 

The amount paid out is at the discretion of the reward panel resulting in a higher or lower pay out than expected. Google also recognizes that some security researchers are not interested in money and provides the option to donate a reward to an established charity, in which case the donation could be doubled at Google's discretion. 

Among the rules that apply with regard to all Google's vulnerability rewards schemes are that only the first report of a specific vulnerability will be rewarded and that bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. 

androiddevicon

 

Banner


Programmers Against Slaughterbots
20/11/2017

Autonomous weapons might sound like a good idea at first, why send soldiers to die, but the potential for misuse is obvious. You might not have thought of such as the slaughterbot - you need to see th [ ... ]



How To Ask A Successful Question on Stack Overflow
08/11/2017

As the result of extensive analysis of Stack Overflow questions and answers, researchers have come up with some dos and don'ts about framing questions that will result in useful answers. 


More News

 

 
 

 

blog comments powered by Disqus

Last Updated ( Tuesday, 23 June 2015 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.