As know-how continues to advance, so do efforts by cybercriminals who look to use vulnerabilities in software program and gadgets. This is why at Google and Android, safety is a high precedence, and we’re consistently working to make our merchandise safer. One approach we do that is via our Vulnerability Reward Programs (VRP), which incentivize safety researchers to seek out and report vulnerabilities in our working system and gadgets.
We are happy to announce that we’re implementing a brand new high quality score system for safety vulnerability reviews to encourage extra safety analysis in greater affect areas of our merchandise and make sure the safety of our customers. This system will charge vulnerability reviews as High, Medium, or Low high quality primarily based on the extent of element supplied within the report. We imagine that this new system will encourage researchers to offer extra detailed reviews, which is able to assist us tackle reported points extra shortly and allow researchers to obtain greater bounty rewards.
The highest high quality and most crucial vulnerabilities at the moment are eligible for bigger rewards of as much as $15,000!
There are a number of key components we’re in search of:
Accurate and detailed description: A report ought to clearly and precisely describe the vulnerability, together with the machine title and model. The description needs to be detailed sufficient to simply perceive the difficulty and start engaged on a repair.
Root trigger evaluation: A report ought to embrace a full root trigger evaluation that describes why the difficulty is going on and what Android supply code needs to be patched to repair it. This evaluation needs to be thorough and supply sufficient data to grasp the underlying reason behind the vulnerability.
Proof-of-concept: A report ought to embrace a proof-of-concept that successfully demonstrates the vulnerability. This can embrace video recordings, debugger output, or different related data. The proof-of-concept needs to be of top quality and embrace the minimal quantity of code attainable to reveal the difficulty.
Reproducibility: A report ought to embrace a step-by-step clarification of how one can reproduce the vulnerability on an eligible machine working the newest model. This data needs to be clear and concise and will permit our engineers to simply reproduce the difficulty and start engaged on a repair.
Evidence of reachability: Finally, a report ought to embrace proof or evaluation that demonstrates the kind of subject and the extent of entry or execution achieved.
*Note: This standards could change over time. For the freshest data, please seek advice from our public guidelines web page.
Additionally, beginning March fifteenth, 2023, Android will now not assign Common Vulnerabilities and Exposures (CVEs) to most reasonable severity points. CVEs will proceed to be assigned to crucial and excessive severity vulnerabilities.
We imagine that incentivizing researchers to offer high-quality reviews will profit each the broader safety neighborhood and our capacity to take motion. We stay up for persevering with to work with researchers to make the Android ecosystem safer.
If you desire to extra data on the Android & Google Device Vulnerability Reward Program, please go to our public guidelines web page to study extra!