Google has expanded its Security Reward Programs to include researchers that find, fix, and prevent vulnerabilities specifically in Android. It is called it the Android Security Rewards programme.
With the introduction of the programme, Google will be encouraging developers or any user to find bugs in the company’s operating system, which in-turn will result in a more secure Android operating system. Like its Chrome security bug programme, the Android Security Rewards Programme will also pay users who “find, fix, and prevent vulnerabilities on Android.”
The company blog post mentions that the programme will initially let users start with Nexus devices on sale via Google Play in the US (currently Nexus 6 and Nexus 9). The company will pay for each step required for fixing the bug, including patches and tests. The firm is also looking to make the entire Android ecosystem more secure, and promises larger rewards to those developers. “In addition to rewards for vulnerabilities, our program offers even larger rewards to security researchers that invest in tests and patches that will make the entire ecosystem stronger,” Google saidin the post.
As a part of the programme rule, Google would be categorising the vulnerabilities in three levels – Critical, High, and Moderate and would be rewarding the users based on the same. While the users who find critical bugs would receive $2,000 (roughly Rs. 1.28 lakhs), the high and moderate bug finders would receive $1,000 (roughly Rs. 64,000) and $500 (roughly Rs. 32,000) respectively. Also, it will be up to Google to decide the “eligibility” of the bug after the details are disclosed to them. For more information, the users can view the programme’s FAQ page.
The vulnerabilities covered by Android Security Rewards include bugs in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. “Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS,” says the FAQ page.
Google says that the largest rewards will be given to researchers who will show how to workaround Android’s security features including ASLR, NX, and the sandboxing. The search giant said it would also continue to pay for users who contribute in making the Android’s security stronger via the Patch Rewards Programme and the mobile pwn2own competitions.