Google Offers Up to $30k Bounties for Discovering Android Vulnerabilities

Google has announced a new Android Security Rewards program to encourage the Android developer community to discover vulnerabilities and disclose them to the Android Security Team. The reward level is based on the bug severity and payments are elevated for high quality reports that include reproduction code, test cases, and patches.

The program covers security vulnerabilities discovered in the latest available Android versions for Nexus phones and tablets currently available for sale in the Google Store in the U.S. As of June 2015 this covers: Nexus 6 and Nexus 9. Vulnerabilities that only affect other Google devices (such as Nexus Player, Android Wear, or Project Tango) are not eligible.

Android Security Rewards covers bugs in code that runs on eligible devices and isn't already covered by other reward programs at Google. Eligible bugs include those in Android Open Source Project (AOSP) code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.

Non-AOSP apps developed by Google and published in Google Play may be covered separately under the Google Vulnerability Reward Program (VRP), which also covers server-side issues. Vulnerabilities in Chrome may be handled under the Chrome Rewards program.

Qualifying vulnerabilities include critical, high, and moderate severity vulnerabilities. In special cases Google may consider offering rewards for test cases and patches for low-severity vulnerabilities. Patches that don't necessarily fix a vulnerability but provide additional hardening may qualify for Google Patch Rewards.

Only the first report of a specific vulnerability will be rewarded. Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. 

There are also a few classes of vulnerabilities that will generally not qualify for a reward:

- Issues that require complex user interaction. For example, if the vulnerability requires installing an app and then waiting for a user to make an unlikely configuration change.

- Phishing attacks that involve tricking the user into entering credentials.

- Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.

- Issues that only affect userdebug builds or require debugging access (ADB) to the device.

- Bugs that simply cause an app to crash.

The reward amount depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will receive a higher reward than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward.

The base reward amounts for vulnerability severity are typically: Critical - $2,000; High - $1,000 and Moderate - $500. Google will reward up to 1.5x the base amount if the bug report includes standalone reproduction code or a standalone test case (such as a malformed file). 

If the bug report includes a patch that fixes the issue or a CTS test that detects the issue, Google will apply up to a 2x reward modifier. If there is both a CTS test and a patch, there's a potential for a 4x reward modifier. CTS tests and patches must apply cleanly to AOSP's master branch and comply with Android's Coding Style Guidelines to be eligible for these additional reward amounts.

Besides the aforementioned reward levels, Google offers additional, much larger rewards for functional exploits:

- An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.

- An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.

The final amount is always chosen at the discretion of the reward panel. Google may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.

For those who would like to donate their reward to charity, Google offers the option to donate a reward to an established charity and will double the donation - subject to company discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of Google’s choosing.

All bugs should be reported to AOSP's public bug tracker using the Security Bug Report template. Developers that are submitting a patch or CTS test, should attach the patches to the bug report instead of uploading them directly to AOSP. 

Google will not issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists including Crimea, Cuba, Iran, North Korea, Sudan and Syria. To avoid conflicts of interest, Google will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.

Google provides a list of frequently asked questions on the Android Security Rewards homepage.