As know-how continues to advance, so do efforts by cybercriminals who look to take advantage of vulnerabilities in software program and gadgets. This is the reason at Google and Android, safety is a prime precedence, and we’re continually working to make our merchandise safer. A method we do that is by way of our Vulnerability Reward Applications (VRP), which incentivize safety researchers to search out and report vulnerabilities in our working system and gadgets.
We’re happy to announce that we’re implementing a brand new high quality ranking system for safety vulnerability reviews to encourage extra safety analysis in increased affect areas of our merchandise and make sure the safety of our customers. This technique will fee vulnerability reviews as Excessive, Medium, or Low high quality primarily based on the extent of element offered within the report. We imagine that this new system will encourage researchers to supply extra detailed reviews, which is able to assist us deal with reported points extra rapidly and allow researchers to obtain increased bounty rewards.
The best high quality and most important vulnerabilities are actually eligible for bigger rewards of as much as $15,000!
There are a couple of key components we’re on the lookout for:
Correct and detailed description: A report ought to clearly and precisely describe the vulnerability, together with the gadget title and model. The outline needs to be detailed sufficient to simply perceive the problem and start engaged on a repair.
Root trigger evaluation: A report ought to embody a full root trigger evaluation that describes why the problem is happening and what Android supply code needs to be patched to repair it. This evaluation needs to be thorough and supply sufficient data to grasp the underlying reason behind the vulnerability.
Proof-of-concept: A report ought to embody a proof-of-concept that successfully demonstrates the vulnerability. This could embody video recordings, debugger output, or different related data. The proof-of-concept needs to be of top of the range and embody the minimal quantity of code doable to exhibit the problem.
Reproducibility: A report ought to embody a step-by-step clarification of tips on how to reproduce the vulnerability on an eligible gadget working the newest model. This data needs to be clear and concise and may permit our engineers to simply reproduce the problem and start engaged on a repair.
Proof of reachability: Lastly, a report ought to embody proof or evaluation that demonstrates the kind of subject and the extent of entry or execution achieved.
*Observe: This standards might change over time. For the hottest data, please seek advice from our public guidelines web page.
Moreover, beginning March fifteenth, 2023, Android will not assign Widespread Vulnerabilities and Exposures (CVEs) to most reasonable severity points. CVEs will proceed to be assigned to crucial and excessive severity vulnerabilities.
We imagine that incentivizing researchers to supply high-quality reviews will profit each the broader safety neighborhood and our capability to take motion. We look ahead to persevering with to work with researchers to make the Android ecosystem safer.
If you want extra data on the Android & Google Gadget Vulnerability Reward Program, please go to our public guidelines web page to be taught extra!
