June 17, 2016 at 13:18Android Security Rewards is 1 year old
Hello, Habr! A year ago , a new nomination appeared in the Google Vulnerability Rewards program - Android Security Rewards . For the detection of loopholes in the Android security system, we offered up to 38,000 US dollars. With the help of such incentives, we were able to detect and eliminate many errors and vulnerabilities - and improve the protection of our users.
It was a good start - and here are the results of the first year of the program:
Thanks to everyone who participated in the program, sent quality error reports and helped us improve Android . Now the protection of the system has become more reliable, so from June 1, 2016 we raise rates!
Finding a vulnerability has become more difficult, so now we pay even more!
All changes and additional terms of the program are described in detail in our rules .
Want to help us find security vulnerabilities? The Bug Hunter University website describes how to create a report that meets all the requirements. Remember that the better the report, the higher the reward. Be sure to also review our updated bug criticality rating .
Thanks to everyone who helped us make Android even more secure. We have learned a lot over this year and are looking to the future with interest.
It was a good start - and here are the results of the first year of the program:
- You have sent over 250 error reports that meet our requirements.
- 82 researchers received over $ 550,000 in rewards. On average, $ 2,200 was paid per reward, and $ 6,700 per person.
- Our top researcher, Peter Pi ( @heisecode ) from Trend Micro, received $ 75,750 for 26 reports.
- Fifteen researchers, we paid at least $ 10,000.
- No one was able to describe a remote attack consisting of a chain of vulnerabilities that compromises Android TrustZone or Verified Boot. So the main prize remained unclaimed.
Thanks to everyone who participated in the program, sent quality error reports and helped us improve Android . Now the protection of the system has become more reliable, so from June 1, 2016 we raise rates!
Finding a vulnerability has become more difficult, so now we pay even more!
- The reward for a quality error report with instructions for reproducing it increased by 33%. For example, the reward for detecting critical vulnerabilities with confirmation is now $ 4000 instead of $ 3000.
- The reward for a bug report with instructions for reproducing, which includes a CTS test or patch, increased by 50%.
- For detecting a kernel vulnerability (from an installed application or through physical access to a device), we pay $ 30,000 instead of $ 20,000.
- For a description of an attack consisting of a chain of vulnerabilities that compromises Android TrustZone or Verified Boot, we offer $ 50,000 instead of $ 30,000.
All changes and additional terms of the program are described in detail in our rules .
Want to help us find security vulnerabilities? The Bug Hunter University website describes how to create a report that meets all the requirements. Remember that the better the report, the higher the reward. Be sure to also review our updated bug criticality rating .
Thanks to everyone who helped us make Android even more secure. We have learned a lot over this year and are looking to the future with interest.