As know-how continues to advance, so do efforts by cybercriminals who look to use vulnerabilities in software program and units. This is the reason at Google and Android, safety is a high precedence, and we’re consistently working to make our merchandise safer. A technique we do that is via our Vulnerability Reward Applications (VRP), which incentivize safety researchers to seek out and report vulnerabilities in our working system and units.
We’re happy to announce that we’re implementing a brand new high quality score system for safety vulnerability studies to encourage extra safety analysis in larger affect areas of our merchandise and make sure the safety of our customers. This method will fee vulnerability studies as Excessive, Medium, or Low high quality based mostly on the extent of element supplied within the report. We imagine that this new system will encourage researchers to offer extra detailed studies, which can assist us handle reported points extra rapidly and allow researchers to obtain larger bounty rewards.
The very best high quality and most important vulnerabilities at the moment are eligible for bigger rewards of as much as $15,000!
There are just a few key components we’re searching for:
Correct and detailed description: A report ought to clearly and precisely describe the vulnerability, together with the system identify and model. The outline must be detailed sufficient to simply perceive the problem and start engaged on a repair.
Root trigger evaluation: A report ought to embrace a full root trigger evaluation that describes why the problem is going on and what Android supply code must be patched to repair it. This evaluation must be thorough and supply sufficient data to grasp the underlying explanation for the vulnerability.
Proof-of-concept: A report ought to embrace a proof-of-concept that successfully demonstrates the vulnerability. This will embrace video recordings, debugger output, or different related data. The proof-of-concept must be of top of the range and embrace the minimal quantity of code attainable to exhibit the problem.
Reproducibility: A report ought to embrace a step-by-step clarification of methods to reproduce the vulnerability on an eligible system operating the newest model. This data must be clear and concise and will enable our engineers to simply reproduce the problem and start engaged on a repair.
Proof of reachability: Lastly, a report ought to embrace proof or evaluation that demonstrates the kind of subject and the extent of entry or execution achieved.
*Word: This standards might change over time. For the hottest data, please check with our public guidelines web page.
Moreover, beginning Could fifteenth, 2023, Android will now not assign Widespread Vulnerabilities and Exposures (CVEs) to most average severity points. CVEs will proceed to be assigned to important and excessive severity vulnerabilities.
We imagine that incentivizing researchers to offer high-quality studies will profit each the broader safety group and our capability to take motion. We look ahead to persevering with to work with researchers to make the Android ecosystem safer.
If you need extra data on the Android & Google System Vulnerability Reward Program, please go to our public guidelines web page to be taught extra!