If you have an Android device, you might be interested in the critical security flaw reward that Google is now offering. The reward has been increased to $200,000 and it is a cash reward that any security researcher can claim if they find any critical security flaw within various products. Read on to learn more about the increase in the cash reward and how you might be able to get it.
Google Increases Critical Security Flaw Reward
It is pretty amazing that Google has decided to up the reward for security researchers that find a critical security flaw within various products. The new reward is $200,000 and this is for both the Verified Boot and Trustzone exploits.
You must be successful in making and showing the remote exploit against one of these two technologies in order to get the reward. Previously, the reward was $50,000 so this is a huge increase in between what the reward was and what it is now. Another cool thing is that Google has increased the reward for the remote kernel exploits too. The reward for that critical security flaw was $30,000 and it is now $150,000.
Members of the Android Security team said that no one has claimed the rewards on any of the critical security flaw issues regarding either Trustzone or Verified Boot in over two years. Google decided that the best way to get people more interested in finding the critical security flaw is to increase the reward to $200,000 as opposed to the $50,000. The belief is that with the reward being four-times as big, more security researchers will be interested in actually finding the Verified Boot and Trustzone vulnerabilities. Since both of these are some of the core technologies used in Android products, Google really wants to know if there are any exploits or vulnerabilities.
The name of the program is Android Security Reward, which was launched a couple years ago. This was a bounty program put out by Google in order to find vulnerabilities in Android and other Google products. Google has been trying to get people to find a critical security flaw in various products so that these issues could be fixed and lead to a better product. Well, just in 2016 alone there were over 520 different vulnerabilities found, although a lot of them were not critical in nature.
More About The Critical Security Flaw Program
When it comes to the Android Security Reward program, Google was wanting people to find a critical security flaw in various Android systems, such as the vulnerabilities in Pixel C, Pixel, and Pixel XL. The various vulnerabilities you could get paid for finding include those in the Android Open Source project, meaning the coding used in that program. You also could find bugs in drivers, the kernels in the operating system, in the libraries, and the Trustzone technologies.
All of these products and technologies are eligible for the reward. The biggest aspect to what size your reward is comes down to how critical the flaw is. If you find a really critical security flaw then you will get a ton of money, as opposed to finding a small minor issue. The lower-level bugs get about $330 each and moderate bugs can earn you $30,000. If you find the big bugs though, the very severe critical ones, you can get up to $200,000 now.
Google has already paid out over $1.5 million to people who have found bugs, which is not bad in two years. The interesting part is that Google has paid out over $1 million just in the past year alone. The first year, not many people were interested or turning in the security bugs for the reward money. Now that the program is becoming popular and more people know about it, more people are up to the challenge of finding the issues.
Google is also working closer with the various Android device manufacturers out there to get them to release more updates and security patches. Some manufacturers would wait a long time to do the system updates and patches, which of course, made all of those Android devices more vulnerable. Google said that the best way to help Android users is to get the patches and updates out as soon as possible. The key is to get the patches to fix critical security flaw issues out within 90 days or less, which is what Google is working on now.