Android 13 Beta bug bounty hunters get a 50% bonus. from Google

Android 13 Beta bug bounty hunters get a 50% bonus. from Google

Online library app Onleihe faces issues after cyberattack on provider
“Vulnerabilities must be exclusive to Android 13 and must not reproduce on any other version of Android.” Google asked those who submit eligible vulnerabilities to include the phrase “Android 13 Beta” in the title of their reports to ensure that they’re correctly tagged for this payout bonus program. The list of qualifying flaws includes those found in Android Open Source Project (AOSP) and other OS code, as well as OEM libraries and drivers code, system on chip (SoC), MicroController Unit (MCU), and any other software used by Android devices if they impact the security of Google devices and platforms.

Google has stated that through May 26th, 2022, all security researchers who disclose Android 13 Beta vulnerabilities through its Vulnerability Rewards Program (VRP) would receive a 50% extra on top of the usual payout. A comprehensive remote code execution vulnerability chain on the Titan M utilised in Google Pixel Phones running an Android 13 Beta release will earn bug hunters up to $1.5 million. “All security vulnerabilities that reproduce only on Android 13 Beta 1 are eligible for an additional 50 percent prize award on top of the usual incentive payout between April 26th, 2022 and May 26th, 2022,” the business adds on the Bug Hunters page.

Highlights

  • The maximum exploit reward for vulnerabilities allowing code execution reaches up to $1 million for Pixel Titan M bugs without considering the Android preview payout bonus. Data exfiltration bugs can also earn researchers a reward of up to $500,000 for sensitive data secured by Pixel Titan M, while payouts for software-based lock screen bypasses can go up to $100,000. Jan Keller, a Google VRP Technical Program Manager, revealed in July 2021 that Google has paid rewards to over 2,000 security researchers from 84 different countries for reporting over 11,000 bugs since launching its first VRP more than ten years ago.

  • Researchers are also eligible for extra rewards if they provide full exploit chains combining multiple security flaws and demonstrating arbitrary code execution, data exfiltration, or a lock screen bypass (achieved via software). The final reward amount for all reported bugs is at the discretion of Google’s reward committee, and it depends on several factors, including (but not limited to) the availability of a buildable exploit, a detailed write-up, the attack vector, and the exploit’s reliability. “Exploit chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus,” Google adds.

 

In all, Google had paid over $29 million in bounty rewards since January 2010, when it launched the Chromium vulnerability reward program. The company has awarded a record-breaking $8,700,000 in rewards in 2021, including a $157,000 payout for an exploit chain, the highest in Android VRP history.