Android Bug Bounty Program Launched by Google

Android Bug Bounty Program is here and it’s your time to report bugs and get paid.

Google’s bug bounty or security rewards program that previously gave away millions of dollars to researcher who identified vulnerabilities in Google’s products such as Chrome since 2010 has been re-launched.

The program has been extended now and will include the Android operating system, the largest member of Google’s product family.

Jon Larimer, Android security engineer, stated: “Today, we’re expanding our program to include researchers that will find, fix, and prevent vulnerabilities on Android, specifically.”

According to Google’s spokesperson, the current Android Security Rewards program will cover just those vulnerabilities that affect the latest Android OS version that too, on its own Nexus 6 smartphone and Nexus 9 tablet. However, the list of devices will keep improving gradually.

We do hope that older versions of the Android OS will be included in this program and Google will encourage its partner firms to come up with timely updates for their apps so that majority of users could benefit from the bug bounty program.

To claim the reward under this program, researchers must discover vulnerabilities and bugs on any or all of the eligible devices that aren’t covered in any other reward programs from Google. The rules are as follows:

“Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.”

The disclosure deadline will be of 90days max and the rewards are also lucrative. Larimer says that larger rewards would be given to those who go beyond identifying a discovery and also recommend tests or patches to help make the ecosystem healthier.

Biggest prize will be given to “researchers that demonstrate how to work around Android’s platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users.”

However, those who submit a bug can expect a reward of around $2000/£1200. The reward will be determined after analyzing the severity level of the bug identified. Researchers who submit unit cases, test cases and AOSP/Android Open Source Project patches will be given higher rewards of up to $8000/£5000.

The potential rewards may rise to $20,000 or even $30,000 that is something between £12,000 and £19,000 if the vulnerability identified can compromise the TEE/TrustZone, kernel or the Verified Boot process.