Google Expands Security Rewards To Bugs In Android Devices

← Back to Stories (view on slashdot.org)

Google Expands Security Rewards To Bugs In Android Devices

Posted by Soulskill on Tuesday June 16, 2015 @06:50AM from the all-about-the-benjamins dept.

An anonymous reader sends news that Google has launched the Android Security Rewards program, which expands its bug bounty efforts to include vulnerabilities in the Android mobile operating system. At present, the program is fairly limited — only bugs found in the most recent version of Android are accepted, and only those that exist on the Nexus 6 phone or the Nexus 9 tablet. Google says that list will change in the future. "Eligible bugs include those in Android Open Source Project (AOSP) code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact Android’s overall security." Bounty amounts range from $500 for a moderate severity bug to $2,000 for a critical bug. The amounts can be increased by various multipliers if a security researcher is able to submit code that helps Google test or fix the issue.

20 comments

Min score:

Reason:

Sort:

I found a problem with the Nexus 6 by ArcadeMan · 2015-06-16 06:52 · Score: 3, Funny

It doesn't even know it's an android.

--
Get free satoshi (Bitcoin) and Dogecoins
Hmmm ... by gstoddart · 2015-06-16 06:57 · Score: 1

So, is it more lucrative to claim the bounty, or exploit the bug?
Seems to me you can sell it to shady people for more money.

--
Lost at C:>. Found at C.
1. Re:Hmmm ... by swillden · 2015-06-16 11:04 · Score: 1
  
  So, is it more lucrative to claim the bounty, or exploit the bug?
  Seems to me you can sell it to shady people for more money.
  Only if you're the sort to do that.
  It's the norm across the whole industry that the black market in vulnerabilities is more lucrative than the "white hat" side. And yet, it appears that the white hat industry is far larger -- and probably more effective. Why? Multiple reasons: Most people want to be honest, many of them like the public recognition they get from publishing, and there are a lot of risks in dealing with the sorts of shady people who pay lots of money for vulnerabilities. The net is that the best people almost invariably end up either on the white hat side.
  Bug bounties have proven to be highly effective. How does the industry know? Simple: monitor the prices of black market vulnerabilities. Vulnerability Reward Programs tend to cause a spike in black market prices far out of proportion with the VRP payments. Partly this is because VRPs tend to sweep up most of the low-hanging fruit quickly, and partly it's because given the choice between getting $8K and a public "thank you" from Google, plus being able to publish and present, is a lot more attractive to many people than getting $50K from the Chinese. Or the NSA.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:Hmmm ... by rtb61 · 2015-06-16 19:34 · Score: 1
  
  A computer bug can be a vary poor investment. To use it means exposing it to discovery and that could mean serious consequences. In fact others might well be fully aware of the bug and simply be actively monitoring it's activity, this as bugs often remain unfixed and secret for quite some time after discovery. Accessory before the fact crimes can have quite severe penalties and the claim of being unaware of intent is likely to fail.
  Obviously the biggest benefit in detecting and fixing bugs is not the immediate remuneration but in gaining reputation and the increases in remuneration that would likely bring. So more of a bonus, as long as Google publishes and details the efforts of those companies and individuals.
  
  --
  Chaos - everything, everywhere, everywhen
What's the point in reporting bugs to Google? by Anonymous Coward · 2015-06-16 07:19 · Score: 0

They're more valuable to other interested parties, plus Google won't patch them on older devices.
1. Re:What's the point in reporting bugs to Google? by MobileTatsu-NJG · 2015-06-16 08:02 · Score: 1
  
  The point is to give the Fandroids some extra marketing material to share with us.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
2. Re:What's the point in reporting bugs to Google? by Anonymous Coward · 2015-06-16 18:02 · Score: 0
  
  Speaking of marketing material, I hear Microsoft likes to give marketing material to the FBI and NSA
  July 31, 2012
  Microsoft (MS) began encrypting web-based chat with the introduction of the new outlook.com service. This new Secure Socket Layer (SSL) encryption effectively cut off collection of the new service for FAA 702 and likely 12333 (to some degree) for the Intelligence Community (IC). MS, working with the FBI, developed a surveillance capability to deal with the new SSL. These solutions were successfully tested and went live 12 Dec 2012.
  March 15, 2013
  SSO's PRISM program began tasking all Microsoft PRISM selectors to Skype because Skype allows users to log in using account identifiers in addition to Skype usernames. Until now, PRISM would not collect any Skype data when a user logged in using anything other than the Skype username which resulted in missing collection; this action will mitigate that. In fact, a user can create a Skype account using any e-mail address with any domain in the world. UTT does not currently allow analysts to task these non-Microsoft e-mail addresses to PRISM, however,
  March 7, 2014
  PRISM now collects Microsoft Skydrive data as part of PRISM'S standard Stored Communications collection package for a tasked FISA Amendments Act Section 702 (FAA702) selector. This means that analysts will no longer have to make a special request to SSO for this - a process step that many analysts may not have known about. This new capability will result in a much more complete and timely collection response from SSO for our Enterprise customers. This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established. "SkyDrive is a cloud service that allows users to store and access their files on a variety of devices.
Google by Anonymous Coward · 2015-06-16 07:24 · Score: 0

Google Expands Security Rewards To Bugs In Android Devices
Because your personal data belongs only to us!
Why bother. You can't even control perms for apps! by denis-The-menace · 2015-06-16 07:45 · Score: 1

Until you can block simple card game apps from uploading your contacts to China or the NSA, this is pointless.

--
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Best part is how easy it is to collect by SuperKendall · 2015-06-16 07:46 · Score: 1

If you do find a bug no need to report it, Google will already know you found it, and additionally will automatically deposit the reward into whatever bank account Google determines you most need the cash.
Therefore, if you are not yet rich, you have not yet found a valid bug.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Why bother. You can't even control perms for ap by CastrTroy · 2015-06-16 08:18 · Score: 1

It's easy to block them. You just simply don't install them at all. If people weren't so apt to just click on "yes" for everything then we wouldn't have a problem with apps like this. There's a million card games out there . You don't have to install the ones that ask for permissions they have no business asking for. Even if you were allowed to block certain permissions for certain apps, most users would probably be coaxed into allowing those permissions if it meant they got a few virtual game dollars in exchange for giving up their privacy.

--

Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Re:Why bother. You can't even control perms for ap by Anonymous Coward · 2015-06-16 08:55 · Score: 0

Really? Cool solution bro.
Because everyone has time to read through permissions list when installing an app.
Why don't I have this problem on iOS? Because they have permissions control implemented correctly.
Thats fixed in next version by SuperKendall · 2015-06-16 09:16 · Score: 1

Whatever the next version of Android is they just talked about at IO, Google decided to copy iOS permission model entirely so finally, people will be able to only grant access to contacts to the app it makes sense for when it makes sense.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Thats fixed in next version by Anonymous Coward · 2015-06-16 13:46 · Score: 0
  
  That's great for new apps. Not so much for legacy apps that will still use old model.
2. Re:Thats fixed in next version by Anonymous Coward · 2015-06-16 18:00 · Score: 0
  
  Um no, you can still block permissions for old apps not compiled against the M API. You just go to settings, find the app and turn off its permissions.
lol by Anonymous Coward · 2015-06-16 10:07 · Score: 0

google needs to tack a few more zeroes on there
Soo by johnsnails · 2015-06-16 21:57 · Score: 1

Sooo. Google has a bounty program for discovering vulnerabilities. The government will put a bounty on you if you discover a vulnerability.
They don't pay out by Anonymous Coward · 2015-06-17 00:13 · Score: 0

I informed them about a product security hole allowing authentication rights to be granted to the wrong user and was trivially easy to exploit a year or 2 ago (I mean REALLY easy, a school boy error, it shouldn't have been missed in their QA). Their response was that it wasn't a security bug at all, they subsequently patched the so called non bug a few months later.
Don't expect any payouts unless you put a lot of work in and the bug isn't a school boy error. I expect I'm not the only person for whom this has happened.