Android Security Rewards Program Rules
The Android Security Rewards program recognizes the contributions of security researchers who invest their time and effort in helping us make Android more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team. The reward level is based on the bug severity and increases for complete reports that include reproduction code, test cases, and patches.
Scope of program
This program covers security vulnerabilities discovered in the latest available Android versions for Pixel phones and tablets. This set of devices will change over time, but as of October 2017 this covers:
Pixel 2
Pixel and Pixel XL
Pixel C
Android Security Rewards covers bugs in code that runs on eligible devices and isn't already covered by other reward programs at Google. Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.
Non-AOSP apps developed by Google and published in Google Play may be covered under our Google VRP, which also covers server-side issues. Vulnerabilities in Chrome may be handled under the Chrome Rewards program.
At this time, vulnerabilities that only affect other Google devices (such as Nexus Player, Android Wear, or Project Tango) are not eligible for Android Security Rewards.
Qualifying vulnerabilities
In general, we will reward critical, high, and moderate severity vulnerabilities. Patches that don't necessarily fix a vulnerability but provide additional hardening may qualify for Google Patch Rewards.
There are a few rules that we follow when rewarding a vulnerability report:
Only the first report of a specific vulnerability will be rewarded.
A bug report must include as much detail as possible, a buildable proof of concept, crash dump if available, and any additional repro steps. For tips on how to submit complete reports, refer to Bug Hunter University.
Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. Google encourages responsible disclosure, and we believe responsible disclosure is a two-way street; it's our duty to fix serious bugs within a reasonable time frame.
There are also a few classes of vulnerabilities that will generally not qualify for a reward:
Issues that require complex user interaction. For example, if the vulnerability requires installing an app and then waiting for a user to make an unlikely configuration change.
Phishing attacks that involve tricking the user into entering credentials.
Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
Issues that only affect userdebug builds or require debugging access (ADB) to the device.
Bugs that simply cause an app to crash.
Low severity issues typically do not qualify for rewards, as described in Bug Hunter University, with some exceptions.
Reward amounts
The reward amount depends on the severity of the vulnerability and the quality of the report. A valid but low quality bug report may receive up to $200. A complete report includes as much detail as possible, a proof of concept, crash dump if available, and any additional repro steps. The proof of concept should be standalone reproduction code or a malformed file that reproduces the issue. Malformed files that are copyright material or can’t be distributed with a CTS test may qualify for a lower reward amount.
This table shows the reward amounts for typical rewards, effective June 1, 2017. (Any submissions prior to June 1 will be paid using the previous rewards table):
Severity Complete Report* + PoC Payment range (if report includes an exploit leading to Kernel compromise)** Payment range (if report includes an exploit leading to TEE compromise)**
Critical Required Up to $150,000 Up to $200,000
High Required Up to $75,000 Up to $100,000
Moderate Required Up to $20,000 Up to $35,000
Low Required Up to $330 Up to $330
* Bug reports that are incomplete or do not include a proof of concept will receive up to $200 depending on severity.
** Subject to the discretion of the rewards committee
Patch and CTS tests submissions may qualify for a reward up to $1000 each. The final amount will be paid as per the discretion of rewards committee. Submitted CTS tests and patches must apply cleanly to AOSP's master branch, comply with Coding Style Guidelines, and be accepted as the actual fix to be eligible for these additional reward amounts.
Researchers submitting reports including a proof of concept via Android security rewards program for reports originally submitted to third party bug bounty programs may qualify for a $1000 bonus reward, where we do not already have a working proof of concept. To qualify for this bonus reward, researchers are required to provide the CVE ID of the issue having been addressed in an Android Security Bulletin on an eligible device.
The final amount is always chosen at the discretion of the reward panel. In particular, we may decide to pay even more for unusually clever or severe vulnerabilities, decide that a single report actually constitutes multiple bugs, or that multiple reports are so closely related that they only warrant a single reward.
We understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you do so, we will double your donation (subject to our discretion). Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Investigating and reporting bugs
All bugs should be reported using the Android Security Issue template. If you are submitting a patch or CTS test, please attach the files to the bug report. Again, if your patch or test doesn’t conform to Android's Coding Style Guidelines, we may reduce the reward amount.
When investigating a vulnerability, please, only ever target your own devices. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google.
Note that we are only able to answer to technical vulnerability reports. Non-security bugs and queries about problems with your account should be instead directed to Google Help Centers.
No comments:
Post a Comment