The Complete Magazine on Open Source

Google set to pay you $200,000 for exploiting Android

2.62K 1

Android bug bounty programme

To drastically reduce Android vulnerabilities, Google has upgraded its bounty programme and is now giving away as much as $200,000 for finding security holes in the open source platform. The latest move comes days after “Judy” malware hit more than 36.5 million Android devices globally.

Google has increased the rewards for a remote exploit chain, exploiting TrustZone and Verified Boot from $50,000 to $200,000. Also, the top-line payouts for a remote kernel exploit have been increased from $30,000 to $150,000. The company claims that despite the massive reward models, no one has so far managed to claim the largest bug bounties due to regular security updates.

“Because every Android release includes more security protections and no researchers has claimed the top reward for an exploit chains in two years,” Android Security team, consists of Mayank Jain and Scott Roberts, writes in a blog post.

Paid over $1.5 million since launch

Originally started in 2015, the Android Security Rewards programme has so far rewarded over $1.5 million to developers and researchers. The Android maker received over 450 qualifying vulnerabilities reports last year and the average pay per researcher increased by 52.3 percent. Furthermore, the top research team received over $300,000 for 118 vulnerability reports.

Irrespective the growth of bug bounties, Android often gets in the news for its vulnerabilities. Cybersecurity firm Check Point, just last month, reported the “Judy” attack and challenged the downloads of malicious apps between 4.5 million to 18.5 million times from Google Play Store.

How to participate

You can join the upgraded Android Security Rewards and gain with the massive monetary rewards. For all this, you need to own a Pixel phone or tablet with the latest Android version and exploit the platform with a qualifying vulnerability, which can have critical, high or moderate severity.

The detected bugs should be reported in the Android Security Issue template. You can also submit a patch or CTS test along with the files attached to the bug report. Importantly, the patch or test should conform to Android’s Coding Style Guidelines to get an eligible reward amount without any deductions.