Google launched its vulnerability rewards program back in 2010 that mainly aimed to rewards the researcher in case they could discover any bugs in Google’s app and service. This program was expanded in the last year and Google announced Android Security Reward program that was introduced to ensure security and safety of all android users. In the last year itself Google paid around $200,000 to the researchers for finding out vulnerabilities and the amount of paying till date has reached to $550,000. But still no researcher is able to crack the TrustZone or Verified boot of Android with a remote exploit. And this is the reason Google announced an enhanced cash reward on one year anniversary of Android Security Reward program.
The total cash was rewarded to 82 individuals who have submitted 250 qualifying vulnerable reports. Mainly this program is focused on Nexus devices so as to improve the Android security but more than one third of the bugs were reported in codes of third party OEM such as Kernel that are being developed and used outside the Android open source project, stated by Quan To, the Google program manager of Android security.
Google has said that its top payment rewards was $75,750 that went to the top researcher @heiscode who presented total 26 vulnerability reports. The company has also paid $10,000 or more to 15 researchers, however, there is nothing mentioned about who received the biggest bug reward.
With all these, researchers were unfortunately unable to locate any bugs in the most secured and important zone of Android, TrustZone or Verified Boot and Google has decided to increase the rewards so as to entice researchers even more towards finding out vulnerabilities in that area. While the company offered an amount of $30,000 previously for remote exploit chain or else exploits leading to Verified boots or TrustZone, the amount is now $50,000. On top of it, Google is now ready to pay even 33% more to the highly qualifying vulnerability reports which will be carried with proof of concept.
Rewards for the proximal Kernel exploit also experience a decent growth of $10,000 and reached to $30,000 that was $20,000 previously. Again the researchers can be benefitted by submitting highly qualifying vulnerability reports along with proof of concept and CTS test. So, the main aim is to tighten the security of Android even more to provide users the utmost safety.
Leave a Reply