Google offers 50% higher bounties for bugs in Android 13 Beta

Google has released Android 13 Beta 1 and has sent out a call for bug hunters: Find bugs in it, and you’ll get a 50% bonus reward payout.

They should hurry up, though: the offer expires on May 26th, 2022.

Getting Android 13 as secure as possible before the final release

Android will, according to Google, focus on “building a responsible and high quality platform for all by providing a safer environment on the device and more controls to the user,” with features such as more granular permissions for media file access, a new permission (NEARBY_WIFI_DEVICES), and Privacy Sandbox.

After this first beta, three more will come in the coming months, followed by the final Android 13 release in September.

Obviously, Google wants to fix as many security issues as possible before that day comes.

“Between April 26th, 2022 and May 26th, 2022 all security vulnerabilities that reproduce exclusively on Android 13 Beta 1 are eligible for a bonus 50% reward payout on top of the standard reward payout. Vulnerabilities must be exclusive to Android 13 and must not reproduce on any other version of Android,” the company has noted in an update of its Devices Security Reward Program Rules.

This means that, if a bug hunter flags a remote code execution exploit chain on Pixel Titan M security chip, they might be rewarded with $1.5 million. A RCE exploit chain hitting the Secure Element (SE), the Trusted Execution Environment (TEE), or the Android kernel is worth up to $375,000.

Reports of vulnerabilities that allow (high value) data exfiltration from Pixel Titan M or a Secure Element can be rewarded with up to $750,000 and $375,000, respectively.

Lockscreen bypass bugs on Android 13 may be worth up to $150,000 (if it’s via software – spoofing attacks that use synthetic biometric data are not eligible for a reward), and a Device Policy Controller bypass up to $112,500.

Bug hunters can get more information here.