by Al Sacco

Google bumps up bounty on Android bugs

News Analysis
Jun 21, 2016
AndroidGoogleMobile Security

During the past year, Google paid more than half a million dollars to researchers who identified flaws in its mobile OS. In fact, the Android Security Rewards program has been so successful that Google increased related bug bounties.

A year ago, Google announced an extension to its Google Vulnerability Rewards Program geared specifically at the Android mobile OS. Called Android Security Rewards, the initiative is designed to incent crafty coders (Google employees and non-employees) to pound Android for potential vulnerabilities, and then get paid for their efforts — assuming they find bugs. 

Google’s pay scale for the program varies based on the severity of flaws identified, but during the past year, Google says it paid out upwards of $550,000 to more than 82 individual researchers, for an average of $2,200 per reward and $6,600 per researcher. One individual cashed in to the tune of $75,750 for 26 different vulnerability reports, according to Google, and 15 separate researchers made more than $10,000 each. (A third of the more than 250 flaws identified related to Android’s Media Server component, and a list of people who successful identified bugs and submitted reports is available on Google’s site.) 

Android Security Rewards is meant specifically to combat flaws in Google’s own Nexus-branded Android devices, and it doesn’t necessarily impact other Android gadgets that may not suffer from the same vulnerabilities. However, the company says “more than a quarter of the issues were reported in code that is developed and used outside of the Android Open Source Project. Fixing these kernel and device driver bugs helps improve security of the broader mobile industry (and even some non-mobile platforms).”

Evolution of the Android Security Rewards program

Google so far considers the program a success, and last week it bumped up the bounty it pays for Android bugs.

Google says it will now pay 33 percent more for a “high-quality vulnerability report with proof of concept.” A critical vulnerability report with a proof of concept, for example, now pays $4,000 instead of $3,000. High-quality vulnerability reports with proof of concepts, Compatibility Test Suite (CTS) Tests, or a patch will receive 50 percent more money. Google boosted its reward for a remote or proximal kernel exploit from $20,000 to $30,000. And finally, remote exploit chains or exploits that lead to TrustZone or Verified Boot compromises now pay $50,000, up from $30,000, according to Google. (During the past year, Google didn’t payout this top reward for a complete remote exploit chain that led to such a TrustZone or Verified Boot compromise.)

The program also inadvertently spotlights third-party Android device makers’ ongoing struggles to release timely security updates, a result of Android fragmentation. While Google can work to immediately find fixes and distribute them to its Nexus phones and tablets, third-party original equipment manufacturers (OEMs) must often perform rigorous software tests and receive carrier approval before releasing updates. In March, BlackBerry called out its Android rivals for slow security software updates, claiming it distributes patches faster than any other Android OEM. 

You can learn more about Android Security Rewards on Google’s development site.

AS