Briefly: Final 12 months, Google’s bug bounty program awarded a minimum of $12 million to researchers who recognized safety flaws in its services and products. That determine is up considerably from the $8.7 million paid in 2021 and is predicted to proceed to extend within the coming years. The corporate is now extending its safety analysis efforts with a brand new program that targets first-party Android apps.
Earlier this month, Google updated the Android and Google Units Vulnerability Reward Program (VRP) with a brand new high quality ranking system for bug studies and elevated the utmost reward for locating vital vulnerabilities to $15,000. The corporate defined on the time that this could make it simpler to repair safety flaws in Pixel telephones, Google Nest gadgets, and Fitbit wearables, in addition to the Android OS in a extra well timed method.
This week, the corporate launched the Cell Vulnerability Rewards Program (Cell VRP), which targets researchers occupied with poking and prodding the safety of Android apps made by Google or different Alphabet-owned firms.
The brand new program classifies first-party Android apps into three tiers. The primary tier contains an important apps, reminiscent of Google Play Providers, Google Chrome, Gmail, Chrome Distant Desktop, Google Cloud, and AGSA (the Google Search widget in Android). Tier two and Tier 3 apps embrace these developed by Google’s analysis division, Google Samples, Pink Scorching Labs, Nest Labs, Waymo, and Waze.
As for the sorts of safety vulnerabilities that qualify for the Cell VRP program, Google says it is largely occupied with bugs that enable arbitrary code execution and knowledge theft, so its safety engineers will prioritize such studies. That mentioned, the corporate can be trying to find out about different safety flaws that might be used as a part of exploit chains, together with path traversal or zip path traversal vulnerabilities, orphaned permissions, and intent redirections that might be used to launch non-exported software parts.
Rewards range primarily based on the severity of the found flaw and the affected apps, and Google is keen to pay as a lot as $30,000 for locating flaws that enable attackers to execute distant code with out person interplay. Probably the most substantial rewards for locating a critical flaw in Tier 2 and Tier 3 apps are $25,000 and $20,000, respectively. The bottom quantity awarded for a qualifying report is $500, however Google may additionally apply a $1,000 bonus for distinctive writeups.
Additionally learn: Does Android need saving? If yes, here’s how to do it.
Google’s bug bounty program is among the many largest within the tech trade, with $12 million paid out to safety researchers in 2022 alone. The best reward was $605,000 for an professional that found an exploit chain comprised of 5 vulnerabilities in Android.
Safety researchers who’re within the Cell VRP can discover extra particulars here. Google says studies should be succinct and embrace a brief proof-of-concept if potential – some tips on easy methods to submit higher bug studies will be discovered here.
In associated information, researchers this week detailed a new brute-force attack that may bypass fingerprint locks on Android telephones. It impacts a number of common fashions from firms like Samsung, Xiaomi, and OnePlus, and the exploit will be carried out in a comparatively brief period of time and with comparatively cheap {hardware}.
Masthead credit score: Alexander London