Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Android
    • Android
    • Cybersecurity

    Google Boosts Top Bug Bounty for Critical Android Flaws to $200,000

    By
    JAIKUMAR VIJAYAN
    -
    June 5, 2017
    Share
    Facebook
    Twitter
    Linkedin
      android security

      Google has sharply increased the cash rewards available to security researchers who find certain categories of vulnerabilities in its products.

      Starting this week, the company will award $200,000 to any researcher that can demonstrate a successful remote exploit against Google’s TrustZone and Verified Boot technologies. That number represents a four-fold increase over the $50,000 it used to offer for the same vulnerabilities previously.

      Rewards for remote kernel exploits have been bumped up from $30,000 to $150,000.

      No researcher has successfully claimed rewards for finding vulnerabilities and developing exploits in these categories in the past two years, said Mayank Jain and Scott Roberts, two members of the Android Security team in a blog. So Google has decided to increase the top-line payouts for these exploits, they noted.

      The move to increase the reward money appears designed to get more security researchers to try and take a crack at the company’s core technologies.

      Google launched its Android Security Rewards program two years ago. Like other bug bounty programs including Google’s own Vulnerability Reward Program, the Android program rewards security researchers who find and report Android security vulnerabilities to the company in a responsible manner. In 2016, Android had the dubious distinction of being the buggiest operating system with more than 520 distinct vulnerabilities reported in the operating system.

      The Google program applies to vulnerabilities that are discovered in versions of Android running on Google’s Pixel, Pixel XL and Pixel C mobile devices. Bugs that are eligible for reward include those that are discovered in Android Open Source Project code, in libraries and drivers, the operating system kernel and the TrustZone device level security mechanism for protecting encryption keys and other sensitive data.

      As with other bug bounty programs, Google’s reward amounts vary depending on the criticality of the bug. Security researchers who report low severity bugs can earn up to $330 per bug, moderate bugs receive between $20,000 and $35,000 while high severity flaws can fetch between $75,000 and $100,000. Critical flaws, such as those in TrustZone and Verified Boot now fetch up to $200,000.

      According to Jain and Roberts, Google has so far paid a total of more than $1.5 million to bug hunters since the company launched the Android rewards program two years ago. About $1.1 million of that amount was paid out in the last 12 months alone, they noted.

      About 31 individuals made $10,000 or more reporting Android bugs to Google.  Members of the CORE Team, a group of independent security researchers from academia and industry, collectively earned more than $300,000 in bug bounties in the past 12 months. The group reported 118 vulnerabilities to Google in total, Jain and Roberts said.

      On top of rewarding security researchers, Google is also working with Android device makers to get them to implement Android security patches more quickly. Google moved to a monthly security patch release cycle in August 2015. Since then the company has been aggressive about ensuring that its own Android products are patched quickly and has been coaxing others to do the same.

      A majority of deployed Android devices from about one dozen vendors currently have patches that are less than 90 days old. Among them are BlackBerry, Fujitsu, Motorola and Samsung, Jain and Roberts said.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×