In an effort to make mobile operating system Android a safer and more secure environment, Google is offering security researchers a ridiculous amount of money if they discover any bug in it.
For its newly launched Android Security Rewards program, it will pay security researcher who discover, fix, and prevent vulnerabilities on Android up to $40 000 (R495 000) for their efforts. There is one catch though: it has to be on a Nexus 6 or Nexus 9.
“We’re launching Android Security Rewards to help reward the contributions of security researchers who invest their time and effort in helping us make Android more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team,” Google explained.
Naturally, the more bugs you find the bigger the reward. “The reward level is based on the bug severity and increases for higher quality reports that include reproduction code, test cases, and patches.
The reward scheme comes in four levels of severity ranging from low to critical. If you discover a critical bug, Google will pay you a base reward of $2 000, and at the maximum you will earn an extra $8 000 on top of that if you develop a compatibility test suit and a patch.
“An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10 000. Going through a remote or proximal attack vector can get up to an additional $20 000.”
For the really big money, an exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get you around $20 000, while going through a remote or proximal attack vector can get up to an extra $30 000.
“Android will continue to participate in Google’s Patch Rewards Program which pays for contributions that improve the security of Android (and other open source projects). We’ve also sponsored mobile pwn2own for the last 2 years, and we plan to continue to support this and other competitions to find vulnerabilities in Android,” said Android Security Engineer Jon Larimer.
[Image – CC by 2.0/Scott Akerman]