Google has announced the launch of a bug bounty program for Android. Researchers who report serious vulnerabilities affecting the mobile operating system can earn tens of thousands of dollars.
While Android is installed on smartphones from many vendors, the new security rewards program only covers vulnerabilities found in the latest Android versions for Nexus phones and tablets currently available for sale in the Google Store in the United States.
This means that only security holes identified in Nexus 6 and Nexus 9 are eligible for a reward. Bugs in other popular devices or custom ROMs built for Nexus will not qualify. Vulnerabilities in Nexus Player, Android Wear, or Project Tango don’t qualify either, Google said.
The search giant is mainly looking for flaws in Android Open Source Project (AOSP) code, original equipment manufacturer (OEM) libraries and drivers, the kernel, and TrustZone OS and modules. Vulnerabilities in chipset firmware might also be eligible.
The minimum amount of money Google is prepared to pay out as part of the Android Security Rewards Program, for moderate severity bugs, is $500. A high severity flaw can earn researchers $1,000, while a critical issue can be worth at least $2,000. If the reporter provides a standalone test case, the base amount increases 1.5 times, and if a patch or a CTS test is provided the amount can double. If the reporter submits both a CTS test and a patch the base reward will quadruple.
Google is prepared to offer even more for functional exploits.
“An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000,” Google said. “An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.”
Google has pointed out that CTS tests and patches must comply with the Android Coding Style Guidelines to be eligible for additional reward amounts.
"Google’s bug bounty announcement today for it’s Nexus family is excellent news for some, but at least in the short term, is still bad news for many,” commented Kymberlee Price, senior director of researcher operations at Bugcrowd. “Incident response teams are responsible for the security of all in-support products, not just the latest version to be released. Google has famously struggled with fragmentation within their Android eco-system since it’s inception, resulting in their customers' devices lagging behind in receiving operating system updates with the newest patches.”
“As a result, releasing a security advisory for vulnerability fixes that is only available for some smartphone customers, due to original equipment manufacturer (OEM) or carriers choosing not to take the software bundle, can put customers that don’t have a fix available at increased risk of exploitation – you’ve essentially zero-dayed your own customers,” Price told SecurityWeek. “While Android’s over-the-air (OTA) updates bypass the Carrier TA process some smartphone vendors face in delivering updates to their users, Android OEMs control the release channel for issues impacting the Android framework or kernel. One would hope that this program will help Google to influence OEMs to take updated builds more frequently so all Android customers have the most secure OS available, not just for Nexus 6 and Nexus 9 customers.”
In February, Google announced the expansion of its Vulnerability Reward Program (VRP) to mobile apps developed by the company. The search giant also announced a Vulnerability Research Grants program, as part of which it will pay researchers as much as $3,133.7 up front with no strings attached.