Google Android Paying $1.5 Million To Find Security Bugs
Hack To Earn!
The new Android Security rewards program increase up-to $1.5 million to help Google to make it more secure.
Including following program covers security vulnerabilities discovered in the latest available Android versions for Pixel phones and tablets.
- Pixel 4 device
- Pixel 3a and Pixel 3a XL devices
- Pixel 3 and Pixel 3 XL devices
Android Security Rewards covers bugs in code that runs on eligible devices and isn’t already covered by other reward programs at Google. Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules.
Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.
Code execution reward amounts as follow
- Pixel Titan M Up to $1,000,000
- Secure Element Up to $250,000
- Trusted Execution Environment Up to $250,000
- Kernel Up to $250,000
- Privileged Process Up to $100,000
Data exfiltration reward amounts
- High value data secured by Pixel Titan M Up to $500,000
- High value data secured by a Secure Element Up tp $250,000
Lockscreen bypass reward amount
- Lockscreen bypass up to $100,000
Qualifying exploit chains
Google is rewarding extra for a full exploit chain (typically multiple vulnerabilities chained together) that demonstrates arbitrary code execution, data exfiltration, or a lockscreen bypass. The actual reward amount is at the discretion of the rewards committee and depends on a number of factors, including (but not limited to):
- Whether there is a detailed writeup describing how the exploit works.
- The initial attack vector (ie. remote exploitation versus local).
- Whether the exploit is device- or build-specific, or whether it works across a broad set of builds and devices.
- The amount of user interaction required for the exploit to work.
- Whether the user could feasibly detect that an exploit is in progress or has completed.
How reliable the exploit is?
Exploits chains found on specific developer preview versions of Android are eligible for up to an additional 50 percent reward bonus.
Google Android Security Rewards program was announced in 2015. The Company claims that, they have paid out over 4 Million dollars to security researchers who reported the vulnerabilities.