Google launches Android bug bounty program

Fresh from paying out US$1.5 million (A$1.9 million) to security researchers who found bugs in the Chrome browser and other products last year, Google is expanding its bounty rewards program to include its Android operating system and related devices.

Android security engineer Jon Larimer said under the new program, Google will pay for “each step required to fix a security bug, including patches and tests” for Nexus phones and tablets available on Google Play. This is currently confined to the Nexus 6 and 9 devices, but is likely to change in future as new devices arrive.

In addition, Google will offer larger rewards to researchers who invest in tests and patches to make the ecosystem stronger and those who "demonstrate how to work around Android's platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users".

Android will continue to participate in Google's patch rewards program, which pays for contributions that improve the security of Android (and other open source projects). Google has also sponsored the pwn2own hacking contest for the last two years, and plans to continue with this and other competitions to find flaws in the mobile OS.

“As we have often said, open security research is a key strength of the Android platform. The more security research that's focused on Android, the stronger it will become,” Larimer said.

Rewards in the new bug bounty program start from the low hundreds but will go up to as high as US$8000, depending on the severity of the bug and the quality of the report sent in by the researcher. Far bigger financial rewards are offered for functional exploits.

The firm believes that a 90-day disclosure deadline is acceptable, which Google's own Project Zero team also adheres to.

The Android maker said eligible bugs will include those in OEM code (libraries and drivers), AOSP code, the kernel and the TrustZone OS and modules. Those to do with the chipset firmware, for example, will only be eligible if they directly impact the security of the Android operating system.

Issues to do with AOSP (Android Open Source Project) or Chrome will be dealt with by the Google VRP and Chrome rewards programs respectively, while custom ROM flaws will not be covered.

Google warned that bugs disclosed publicly, or to a third-party for any other reason than fixing the bug, will not qualify for a reward. It said this may also be the case for issues which resolve around tricking the user - flaws based on phishing attacks, tapjacking, or any other attacks that require "complex user interaction".

This could also apply to bugs that only cause an app to crash, or which relate to user-debug builds.

This article originally appeared at scmagazineuk.com