Today at Black Hat’s Mobile Security Summit in London, Google has announced a security reward program for Android. As of right now, it’s only covering Google’s own Nexus devices in the Play Store, which happen to cover only the Nexus 6 and Nexus 9.
Payments start out at $500 for moderate vulnerabilities and goes up to $8,000 for those who find more serious bugs and can prove it by submitting a case and a patch. There is also the reward of $30,000 for those who can exploit TrustZone or Verified Boot. $10,000 and $20,000 are also reward amounts, but for installed app attacks. Qualifications for the security rewards program include: OEM code, AOSP, TrustZone OS, kernel, and modules. Non-Android Vulnerabilities such as chipset firmware, may be eligible only if it impacts Android OS security. None eligible Google devices for the program are the Nexus Player, Android Wear, and Project Tango.
This isn’t the first time Google has launched a reward program that provides bounties to researchers or hackers. Google has provided one for Chrome OS, a patch reward program back in 2013 for web applications, and other Google products. Google states it has paid out more than $4 million in rewards since it’s first reward program back in 2010 – $1.5 million was provided to more than 200 researchers in 2014 alone.
If you do plan on helping Google out finding these vulnerabilities, you will need to report all bugs to AOSP’s public tracker using a specific template. When submitting a patch or CTS test, you will need to attach the patches to the bug report instead of uploading them to AOSP. As Google states:
“When investigating a vulnerability, please, only ever target your own devices. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google”.
Do you think Google offering money will help solve security issues with Nexus devices? Leave a comment below, or on Google +, Facebook, or Twitter.