Google launches Android bug bounty programme

Fresh from paying out US$ 1.5 million (£960,000) to security researchers who found bugs in the Chrome browser and other products last year, Google is expanding its bounty rewards programme so to include its Android operating system and devices running on it.

Google launches Android bug bounty programme
Google launches Android bug bounty programme

“Today, we're expanding our program to include researchers that will find, fix, and prevent vulnerabilities on Android, specifically,” wrote Android security engineer Jon Larimer.

He went onto say that, under the new Android Security Rewards Programme, Google will pay for “each step required to fix a security bug, including patches and tests” for Nexus phones and tablets available on Google Play. This is currently confined to the Nexus 6 and 9 devices, although will doubtlessly change in future.

In addition, Google will offer larger rewards to researchers that invest in tests and patches to make the ecosystem stronger, and will hand out larger rewards to researchers “that demonstrate how to work around Android's platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users.”

Android will continue to participate in Google's Patch Rewards Programme, which pays for contributions that improve the security of Android (and other open source projects). Google has also sponsored mobile pwn2own for the last two years, and plans to continue with this and other competitions to find flaws in the mobile OS.

“As we have often said, open security research is a key strength of the Android platform. The more security research that's focused on Android, the stronger it will become,” summarised Larimer.

Rewards in this new bug bounty programme start from the low hundreds but will go up to as high as US$ 8,000 (£5,115), depending on the severity of the bug and the quality of the report sent in by the researcher. Far bigger financial rewards are offered for functional exploits.

The firm believes that a 90-day disclosure deadline is acceptable, which Google's own Project Zero team also adheres to.

The Android maker says that eligible bugs will include those in OEM code (libraries and drivers), AOSP code, the kernel and the TrustZone OS and modules, but details that those to do with the chipset firmware, for example, will only be eligible if they directly impact the security of the Android operating system.

Issues to do with AOSP (Android Open Source Project) or Chrome will be dealt with by the Google VRP and Chrome Rewards programmes respectively, while custom ROM flaws will not be covered. Google warns that bugs disclosed publicly, or to a third-party for any other reason than fixing the bug, will not qualify for a reward, and says that this may be the case too for issues which resolve around tricking the user (i.e. flaws based on phishing attacks, tapjacking, or any other attacks that require "complex user interaction". This could also apply to bugs that only cause an app to crash, or which relate to user-debug builds.

Marc Wickenden, technical director at UK security consultancy 4ARMED, which also provides CREST-certified penetration testing, said in an email to SCMagazineUK.com:

“Anything which encourages responsible disclosure of security bugs to the people who can do something about it is a good thing in my book.”

“I would expect we will see an increase in issues being identified and fixed but only time will tell if we see these fixes proliferate quickly down to non-Nexus devices, where there are historically issues with timely delivery and application of updates.

“Given Nexus devices account for only a tiny percentage of overall Android systems we won't see any significant advances in real world Android security unless the phone vendors and telcos get their downstream patching processes improved in order to handle any increase in incoming fixes. Overall though, it's hard to see this as anything other than a positive announcement.”