Google’s security rewards program, which has handed out millions of dollars to researchers who found bugs in Chrome and other Google products since 2010, has now been extended to include the largest member of its product family: the Android operating system.
Android security engineer Jon Larimer said:
Today, we're expanding our program to include researchers that will find, fix, and prevent vulnerabilities on Android, specifically.
Google says the new Android Security Rewards Program will only cover vulnerabilities affecting the latest version of Android running on its own Nexus 6 smartphone and Nexus 9 tablet for now, but the list of eligible devices will change over time.
I hope Google will include older versions of the Android operating system or, better yet, encourage its partners to push out more timely updates in the future, otherwise any security benefits derived from this bug bounty program will only be enjoyed by a minority of customers.
To claim a bounty under the new program, researchers will need to discover bugs on one or both of the eligible devices that are not already covered by any of Google’s other reward programs with the rules stating:
Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.
Larimer said the program will pay out larger rewards to those who go beyond simply discovering a vulnerability, handing over larger piles of cash in return for tests and patches that will help to make the entire ecosystem more robust.
The largest possible rewards will go “to researchers that demonstrate how to work around Android’s platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users.”
Researchers submitting a bug can expect to earn anything up to $2000 (about £1200), depending on its severity level. By also submitting test cases, unit cases and AOSP (Android Open Source Project) patches, that reward could rise to as much as $8000 (about £5000).
If an exploit is able to compromise the kernel, TEE (TrustZone) or the Verified Boot process, the potential bounty could rise to between $20,000 and $30,000 (about £12,000 – £19,000).
Google suggests a reasonable disclosure deadline of 90 days, which matches the timescale its own Project Zero team adheres to when reporting Android bugs. The company says any researcher publicly revealing new bugs before the 90-day period is up will be unlikely to receive a reward, but it will consider each case on its own merits.
Vulnerabilities which resolve around tricking the user, or eliciting complex interaction, such as phishing attacks, tap-jacking or a reliance on unlikely configuration changes are unlikely to qualify for a reward. Bugs that do nothing more than cause an app to crash will also be excluded from the program.
Android, Larimer said, will continue to participate in Google’s Patch Rewards Program, which pays for contributions that improve the security of Android (as well as other open source projects). Google will also continue to support mobile pwn2own, as it has done for the last 2 years, as well as other competitions designed to find vulnerabilities in Android.
Wrapping up, Larimer said:
Open security research is a key strength of the Android platform. The more security research that's focused on Android, the stronger it will become.