Google today announced that it has expanded the scope of its vulnerability rewards program to include the latest versions of its Nexus mobile devices, dangling thousands of dollars in front of researchers willing to hunt not only for vulnerabilities but also develop bypasses for native Android security mechanisms.
The Android Security Rewards program, introduced in London at the Black Hat Mobile Summit, is a complement to the existing Google bug bounties for the Chrome browser and other Google products.
Android security engineer Jon Larimer said that only Nexus 6 and Nexus 9 devices currently for sale on Google Play are eligible for rewards; Google said Nexus thus becomes the first major line of mobile devices offering a bug bounty.
“We designed the program to make sure that the entire Android ecosystem will benefit from this vulnerability research,” Larimer said. “In addition to paying rewards for vulnerabilities, this program offers even larger rewards for security researchers that invest in tests and patches that will make the entire ecosystem stronger.”
The top-end reward for a critical Android bug approaches $40,000; that would involve a single exploit or a chain of attacks that compromise the Android TrustZone or Verified Boot from an installed app. Remote attacks will be worth an additional $30,000 on top of as much as $8,000 for the initial bug, reproduction code, test cases and a patch. Local attacks with those same parameters that lead to a kernel compromise from an installed app can be worth as much as an additional $20,000. Exploits that defeat memory protections such as ASLR, the Android sandbox, or the NX server, are also eligible for the highest rewards.
The baseline rewards are $2,000 for a critical vulnerability, $1,000 for one rated high, and $500 for moderate-severity issues.
“We’ll reward up to 1.5x the base amount if the bug report includes standalone reproduction code or a standalone test case (e.g., a malformed file),” Google said. “If the bug report includes a patch that fixes the issue or a CTS test that detects the issue, we’ll apply up to a 2x reward modifier. If there is both a CTS test and a patch, there’s a potential 4x reward modifier.”
Bugs in scope include those found in the Android Open Source Project (AOSP) code, OEM libraries and drivers, the Android kernel, and TrustZone. Google said it would also consider bugs in non-Android code, such as firmware, if they impact security of the OS.
“The reward amount depends on the severity of the vulnerability and the quality of the report,” Google said. “A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward.”
Google did exclude certain types of vulnerabilities, including bugs causing apps to crash and phishing. Vulnerabilities that arise from users making “unlikely configuration changes” are also ineligible as are tap-jacking and UI-redressing attacks that happen only when users tap on something in the user interface, Google said. Vulnerabilities in userdebug builds, or those that require debugging access are also out of scope, Google said.