Google ups bug bounties for Android flaws, exploits

Google has expanded the Android Security Rewards (ASR) program and increased the bug bounties it’s willing to award for certain kinds of exploits.

About the Android Security Rewards Program

ASR covers security vulnerabilities discovered in the latest available Android versions for Pixel phones and tablets, which are currently Pixel 4, Pixel 3a and Pixel 3a XL, and Pixel 3 and Pixel 3 XL.

“Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS,” Google clarifies.

As it’s usual with bug bounty programs, the final amount received by vulnerability reporters depends on many things: the severity of the flaw, the quality of their write-up, the amount of user interaction required for the exploit to work, the reliability of the exploit, and more.

Latest changes and rewards increases

“We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million,” Jessica Lin of the Android Security Team announced on Thursday.

The Titan M chip – custom built for Pixel 3 to secure users’ most sensitive on-device data, the operating system, third-party apps and secure sensitive transactions – was launched a year ago.

Achieving arbitrary code execution that results in the compromise of other secure environments, the kernel and privileged processes can also lead to substantial rewards:

“In addition to exploits involving Pixel Titan M, we have added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass. These rewards go up to $500,000 depending on the exploit category,” she added.

Rewards for lockscreen bypass exploits (maximum: $100,000) will be given out only for exploits achieved via software that would affect multiple or all devices. Those hoping to bypass the lockscreen via fake masks or fingerprints will be disappointed: spoofing attacks that use synthetic biometric data are not eligible for reward, Google says.

More information about the Android Security Rewards Program is available here.

Google is trying to secure as much of the Android attack surface it can: it has recently partnered with several mobile security companies to identify potentially harmful and unwanted Android apps before they are listed on Google Play and expanded the Google Play Security Reward Program to include all apps in Google Play with 100 million or more installs.