In the year 2010, Google launched its first Patch Reward Program. The program was to be utilized by general users and developers to help Google find and solve issues present in the behemoth’s software programs as well as its open-source mobile OS, Android. As reported by the company itself, they have paid out more than $4 million since the launch of this enormous and truly expanding program.
Just today, Google announced a new addition to the already existing Patch Reward Program. This new program is specifically meant for Android. The announcement was made at Black Hat’s Mobile Security Summit in London just a while ago.
The program covers vulnerabilities that affect Nexus phones and tablets only. This can be understandable as those are the only devices over which Google has full control over. Right now, it would be the Nexus 6 smartphone and the Nexus 9 tablet for you all.
This approach not only helps Google optimize its programs, it also helps developers and general public point out to the company what they want from Google and help the company better understand the problems at hand.
Bugs that you can report for this new program include vulnerabilities in the Android open source code, OEM libraries and drivers, the kernel and ARM TrustZone OS and modules. That’s a lot and the rewards start from a base prize of $500 for moderate flaws and vulnerabilities to a whopping #8,000 for severe security or code related bugs.
Just find a bug in the code and provide a patch with a test case and you will be rewarded. Here are a few rules the company has placed for bug detection, patching and reporting:
- Only the first report of a specific vulnerability will be rewarded.
- Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. Google encourages responsible disclosure, and we believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
Not only that, Google is also offering rewards in ‘grands’ for reporting and patching functional exploits. Here’s what they need you to do to claim the prizes:
- An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.
- An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.