Google is turning its security focus to Android with a newly announced security rewards program for researchers. Just last year the company gave out more than US$1.5 million to security researchers who found bugs in the company’s browser and products, but today the company is launching the Android Security Rewards program to point the effort toward its operating system.
“We’re launching Android Security Rewards to help reward the contributions of security researchers who invest their time and effort in helping us make Android more secure,” the company wrote on its website. “Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team.”
(Related: Mozilla’s own bug bounty program)
The payouts will be based on bug severity and on reproductions code, test cases and patches. Currently, the payout for a moderate vulnerability is $500 and $2,000 for a critical vulnerability, but researchers could receive up to $8,000 depending on their security reports.
“The largest rewards are available to researchers that demonstrate how to work around Android’s platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users,” wrote Jon Larimer, Android security engineer, in a blog post.
To start, the security program will include Nexus 6 and Nexus 9 devices. In addition, the company noted that Android would continue to be a part of the Google Patch Reward Program.
“As we have often said, open security research is a key strength of the Android platform. The more security research that’s focused on Android, the stronger it will become,” Larimer wrote.
Jun 17, 2015 3:39:48 PM