Google announces reward program for Android bugs

Google has announced that it will start paying researchers for information about vulnerabilities affecting Android.

The Android Security Rewards are incremental. “For vulnerabilities affecting Nexus phones and tablets available for sale on Google Play (currently Nexus 6 and Nexus 9), we will pay for each step required to fix a security bug, including patches and tests,” Android Security Engineer Jon Larimer explained.

For example, the base reward amount for a critical bug is $2,000. If the bug report includes standalone reproduction code or a standalone test case (e.g., a malformed file), the baseline rises to $3,000. If it includes a patch or a CTS test, it rises to $4,000. If both are included, the minimum reward is $8,000.

“Besides these reward levels, we offer additional rewards for functional exploits,” the company notes in the rules. “An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.”

“An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.”

Researchers will be rewarded for flaggin bugs in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Bugs that require complex user interaction in order to be exploited, bugs that just crash apps, and several other classes of vulnerabilities won’t qualify for a reward.

“Our pledge to you is to respond promptly and fix bugs in a sensible timeframe — and in exchange, we ask for a reasonable advance notice,” the company says, noting that they consider a 90 day disclosure deadline reasonable.

“Android will continue to participate in Google’s Patch Rewards Program which pays for contributions that improve the security of Android (and other open source projects). We’ve also sponsored mobile pwn2own for the last 2 years, and we plan to continue to support this and other competitions to find vulnerabilities in Android,” concluded Larimer.