Android Security Rewards is 1 year old
Hi, Habr! A year ago , a new nomination appeared in the Google Vulnerability Rewards program - Android Security Rewards . For finding loopholes in the Android security system, we offered up to $ 38,000. With the help of such incentives, we were able to detect and fix a lot of errors and vulnerabilities - and improve the protection of our users.
It was a worthy start - and here are the results of the first year of the program:
Thanks to everyone who took part in the program, sent quality bug reports and helped us listen to Android . Now the protection of the system has become more reliable, so that from June 1, 2016 we are raising the stakes!
Finding vulnerabilities has become harder, so now we pay even more!
')
All changes and additional conditions of the program are described in detail in our rules .
Want to help us find security vulnerabilities? The site Bug Hunter University tells how to create a report that meets all the requirements. Remember that the better the report, the higher the reward will be. Don't forget to also see our updated error rating .
Thanks to everyone who helped us make the Android OS more secure. We have learned a lot this year and are looking into the future with interest.
It was a worthy start - and here are the results of the first year of the program:
- You have sent over 250 error reports that meet our requirements.
- 82 researchers received more than 550,000 US dollars as rewards. On average, one reward accounted for $ 2,200, and $ 6,700 per person.
- Our best researcher, Peter Pi ( @heisecode ) from Trend Micro, received $ 75,750 for 26 reports.
- Fifteen researchers, we paid no less than $ 10,000.
- No one was able to describe a remote attack consisting of a chain of vulnerabilities that compromises Android TrustZone or Verified Boot. So the main prize remained unclaimed.
Thanks to everyone who took part in the program, sent quality bug reports and helped us listen to Android . Now the protection of the system has become more reliable, so that from June 1, 2016 we are raising the stakes!
Finding vulnerabilities has become harder, so now we pay even more!
')
- The reward for the qualitative error report with the instruction for its reproduction increased by 33%. For example, the reward for detecting a critical vulnerability with confirmation now is $ 4000 instead of $ 3000.
- The reward for the error report with the instruction for reproduction, which includes the CTS test or patch, grew by 50%.
- We pay $ 30,000 instead of $ 20,000 to detect a kernel vulnerability (from an installed application or using physical access to a device).
- For a description of the attack, consisting of a chain of vulnerabilities that compromises Android TrustZone or Verified Boot, we offer $ 50,000 instead of $ 30,000.
All changes and additional conditions of the program are described in detail in our rules .
Want to help us find security vulnerabilities? The site Bug Hunter University tells how to create a report that meets all the requirements. Remember that the better the report, the higher the reward will be. Don't forget to also see our updated error rating .
Thanks to everyone who helped us make the Android OS more secure. We have learned a lot this year and are looking into the future with interest.
Source: https://habr.com/ru/post/303536/
All Articles