Nexus 5 (2015)

U.S. – Google Inc. (GOOGL) today unveiled the Bug Bounty Program called as Android Security Rewards Programs. Within this program, Google has invited professional hackers across the globe to find out security flaws in its Android devices.

The Google Bug Bounty program will also pay a reward of up to $38,000 to the hackers for their time and efforts in researching the security vulnerabilities in Android. Google mentions that the reward level will be determined based on the severity of the bug or flaw. The reward will certainly be higher for reporting reproduction codes, patches and test cases.

Google has mentioned several details about the Android Security Rewards Programs such as its scope, qualifying vulnerabilities, reward amounts, how to report the bugs and how the patches will be investigated by Google.

Scope of Google Bug Bounty Program

The Google Bug Bounty Program will cover the bugs found in the latest Android versions of Nexus phones and tablets that are available in the Google Store in the U.S. These mainly include Nexus 6 and Nexus 9. However, later on, the devices for the Google Bug Bounty Program might change.

Google also mentions a list of bugs that are eligible for the Android Security Rewards Programs. These include the bugs in the codes that run on eligible devices and that are not covered in Google’s other reward programs. The eligible bugs will be the ones found in OEM code, the kernel, the TrustZone OS, AOSP code and the TrustZone modules.

Reward amounts in Google Bug Bounty Program

Google mentions some important points about the rewards structure,

“The reward amount depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward.”

There are three levels mentioned for the reward. The most ‘Critical’ bug reports will be rewarded with $2000, the ‘High’ level bug reports will get $1,000; while the ‘Moderate’ level bug reports will get $500. Google published a table explaining the reward schedule:

Google is all set to hunt down the security flaws in its Android devices. In the past, Google has already run such Bug Bounty programs and they worked well. It will be interesting to see how this new Google Bug Bounty program works.