As know-how continues to advance, so do efforts by cybercriminals who look to use vulnerabilities in software program and units. Because of this at Google and Android, safety is a prime precedence, and we’re always working to make our merchandise safer. A method we do that is by our Vulnerability Reward Packages (VRP), which incentivize safety researchers to search out and report vulnerabilities in our working system and units.
We’re happy to announce that we’re implementing a brand new high quality score system for safety vulnerability reviews to encourage extra safety analysis in larger impression areas of our merchandise and make sure the safety of our customers. This method will charge vulnerability reviews as Excessive, Medium, or Low high quality primarily based on the extent of element supplied within the report. We consider that this new system will encourage researchers to offer extra detailed reviews, which can assist us handle reported points extra rapidly and allow researchers to obtain larger bounty rewards.
The best high quality and most important vulnerabilities are actually eligible for bigger rewards of as much as $15,000!
There are just a few key components we’re searching for:
Correct and detailed description: A report ought to clearly and precisely describe the vulnerability, together with the machine identify and model. The outline needs to be detailed sufficient to simply perceive the problem and start engaged on a repair.
Root trigger evaluation: A report ought to embrace a full root trigger evaluation that describes why the problem is happening and what Android supply code needs to be patched to repair it. This evaluation needs to be thorough and supply sufficient info to grasp the underlying explanation for the vulnerability.
Proof-of-concept: A report ought to embrace a proof-of-concept that successfully demonstrates the vulnerability. This could embrace video recordings, debugger output, or different related info. The proof-of-concept needs to be of top quality and embrace the minimal quantity of code potential to show the problem.
Reproducibility: A report ought to embrace a step-by-step rationalization of how one can reproduce the vulnerability on an eligible machine working the newest model. This info needs to be clear and concise and will permit our engineers to simply reproduce the problem and start engaged on a repair.
Proof of reachability: Lastly, a report ought to embrace proof or evaluation that demonstrates the kind of concern and the extent of entry or execution achieved.
*Word: This standards could change over time. For the hottest info, please discuss with our public guidelines web page.
Moreover, beginning March fifteenth, 2023, Android will now not assign Widespread Vulnerabilities and Exposures (CVEs) to most reasonable severity points. CVEs will proceed to be assigned to vital and excessive severity vulnerabilities.
We consider that incentivizing researchers to offer high-quality reviews will profit each the broader safety group and our capacity to take motion. We stay up for persevering with to work with researchers to make the Android ecosystem safer.
If you want extra info on the Android & Google Machine Vulnerability Reward Program, please go to our public guidelines web page to be taught extra!