Google is launching a new security program focusing on Android, offering payments of up to $8,000 to those who bring to light vulnerabilities. This isn’t the first time the company has launched a similar bug hunter program, paying out $4 million over the last handful of years.
Have a bug already jotted down? Report the issue to AOSP’s public bug tracker using the Security Bug Report template. Do note that only the Nexus 6 and Nexus 9 are eligible for the time being.
It was limiting the proof of attacks to Nexus so it was easy for the Android team to properly verify claims. And it believes the bounty initiative will benefit all different forms of Android across partner manufacturers, such as HTC, LG and Samsung. “Nexus devices include all of the code that is common across the Android ecosystem… We’ve also tuned the financial incentives for tests, patches, and exploit mitigation so that the research can provide the broadest benefit to the ecosystem,” Google said. Smaller prizes will be determined based on the severity of the issue.
Google already has a range of bug bounties, and has paid out millions of dollars for vulnerabilities uncovered in various pieces of its software estate, but it wasn’t rewarding specific flaws in the Android codebase. It’s likely the bounty will titillate those who hunt for Android kernel vulnerabilities to root devices, a process that takes away any locks on the operating system imposed by Google or partner manufacturer. The K33N Team, a famous Chinese hacker crew, recently published its own Samsung S6 rooting software, but it’s also been known to make thousands of dollars uncovering vulnerabilities in major security competitions.
Source : Google