Google recently announced an update to its Android Security Rewards program, which provides monetary compensation to hackers who disclose vulnerabilities in the Android system. The reward amounts are on a sliding scale of bug severity and can be further increased by providing Google with reproduction code, test cases, and patches.
Google was initially offering a reward of $50,000 for “complete remote exploit chain leading to TrustZone or Verified Boot compromise”, and $30,000 for a remote kernel exploit. As Google has not received any successful attempts, those rewards have been increased to a whopping $200,000 and $150,000 respectively.
As of June 2017, the eligible devices for the Android Security Rewards program are:
- Pixel and Pixel XL
- Pixel C
However, it may not be entirely necessary to own those devices, as the program covers the AOSP code, OEM code, kernel, TrustZone OS and modules. You could theoretically load the Pixel AOSP into an emulator if you wanted to go bug-hunting yourself.
The program rules are as follows:
- Only the first report of a specific vulnerability will be rewarded.
- A bug report must include as much detail as possible, a buildable proof of concept, crash dump if available, and any additional repro steps. For tips on how to submit complete reports, refer to Bug Hunter University.
- Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. Google encourages responsible disclosure, and we believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
And the following vulnerabilities are not qualified for entry to the program:
- Issues that require complex user interaction. For example, if the vulnerability requires installing an app and then waiting for a user to make an unlikely configuration change.
- Phishing attacks that involve tricking the user into entering credentials.
- Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
- Issues that only affect userdebug builds or require debugging access (ADB) to the device.
- Bugs that simply cause an app to crash.
- Low severity issues typically do not qualify for rewards, as described in Bug Hunter University, with some exceptions.
Along with updating the Android Security Rewards program, Google also released a list of devices that are running the most current Android security patch – with literally hundreds (or even thousands) of device models out there running the Android system, it’s actually rather shocking how few devices are running the latest security patches.
- BlackBerry: Priv
- Fujitsu: F-01J
- General Mobile: GM5 Plus d, GM5 Plus, General Mobile 4G Dual, General Mobile 4G
- Gionee: A1
- Google: Pixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9
- LG: LG G6, V20, Stylo 2 V, GPAD 7.0 LTE
- Motorola: Moto Z, Moto Z Droid
- Oppo: CPH1613, CPH1605
- Samsung: Galaxy S8 Plus, Galaxy S8, Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6 Active, Galaxy S5 Dual SIM, Galaxy C9 Pro, Galaxy C7, Galaxy J7, Galaxy On7 Pro, Galaxy J2, Galaxy A8, Galaxy Tab S2 9.7
- Sharp: Android One S1, 507SH
- Sony: Xperia XA1, Xperia X
- Vivo: Vivo 1609, Vivo 1601, Vivo Y55
It’s particularly strange that no Huawei devices are on that list, considering Huawei and Google have had an incredibly close partnership the past number of months, as Huawei designed Google’s Nexus 6P flagship device.
In any case, with so high a reward for disclosing vulnerabilities, it’s a given that top Android developers are working hard on cracking the code – but one must wonder how many malicious hackers are working on the same thing, without intent to disclose their findings.