|New Android Bug Bounty Scheme|
|Written by Alex Armstrong|
|Tuesday, 23 June 2015|
Google has initiated Android Security Rewards covering vulnerabilities discovered in the latest available Android versions for Nexus phones and tablets currently available for sale in the Google Store in the U.S.
Bug hunting can be lucrative work. Google already has a Vulnerability Reward Program covering its web properties, a scheme for bugs in Chrome and a Patch reward scheme covering open source projects including Android. The new program focuses on new Android devices and is currently restricted to the Nexus 6 and Nexus 9.
As well as being geographically limited to the United States another restriction is that the new program is only for bugs in code that that isn't covered by these other Google reward programs.To clarify what is covered the announcement states:
Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.
As with other bug bounty schemes, the amount of the reward depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward as indicated in this table:
Google also offers additional rewards for functional exploits:
The amount paid out is at the discretion of the reward panel resulting in a higher or lower pay out than expected. Google also recognizes that some security researchers are not interested in money and provides the option to donate a reward to an established charity, in which case the donation could be doubled at Google's discretion.
Among the rules that apply with regard to all Google's vulnerability rewards schemes are that only the first report of a specific vulnerability will be rewarded and that bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 13 February 2020 )|