In the past days, Google announced an update to the Android Security Rewards program, which provides financial compensation to hackers who uncover security vulnerabilities in the Android system. The prize winner is on a sliding scale of insect violence and can be further increased by providing Google with breeding code, test cases, and patches.
Google originally awarded $ 50,000 for a “complete remote access chain that led to TrustZone or Verified Bootstrap,” and $ 30,000 for a remote core abuse. As Google did not take a successful initiative, these awards showed a big increase of $ 200,000 and $ 150,000, respectively.
However, it may not be absolutely necessary to own these devices, since the program covers the AOSP code, OEM code, kernel, TrustZone OS and modules. Theoretically, you can load Pixel AOSP into the emulator, if you want, that you yourself were looking for an error.
The program rules are as follows:
- Only the first report of a specific vulnerability will be rewarded.
- A bug report must include as much detail as possible, a build-able proof of concept, crash dump if available, and any additional repro steps. For tips on how to submit complete reports, refer to Bug Hunter University.
- Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. Google encourages responsible disclosure, and we believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
And the following vulnerabilities are not qualified for entry to the program:
- Issues that require complex user interaction. For example, if the vulnerability requires installing an app and then waiting for a user to make an unlikely configuration changes.
- Phishing attacks that involve tricking the user into entering credentials.
- Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
- Issues that only affect user-debug builds or require debugging access (ADB) to the device.
- Bugs that simply cause an app to crash.
- Low severity issues typically do not qualify for rewards, as described in Bug Hunter University, with some exceptions.