As know-how continues to advance, so do efforts by cybercriminals who look to take advantage of vulnerabilities in software program and gadgets. For this reason at Google and Android, safety is a prime precedence, and we’re continuously working to make our merchandise safer. A method we do that is by our Vulnerability Reward Applications (VRP), which incentivize safety researchers to search out and report vulnerabilities in our working system and gadgets.
We’re happy to announce that we’re implementing a brand new high quality ranking system for safety vulnerability reviews to encourage extra safety analysis in larger influence areas of our merchandise and make sure the safety of our customers. This technique will charge vulnerability reviews as Excessive, Medium, or Low high quality based mostly on the extent of element supplied within the report. We imagine that this new system will encourage researchers to supply extra detailed reviews, which can assist us deal with reported points extra shortly and allow researchers to obtain larger bounty rewards.
The best high quality and most crucial vulnerabilities at the moment are eligible for bigger rewards of as much as $15,000!
There are a couple of key parts we’re searching for:
Correct and detailed description: A report ought to clearly and precisely describe the vulnerability, together with the gadget identify and model. The outline must be detailed sufficient to simply perceive the difficulty and start engaged on a repair.
Root trigger evaluation: A report ought to embrace a full root trigger evaluation that describes why the difficulty is going on and what Android supply code must be patched to repair it. This evaluation must be thorough and supply sufficient data to know the underlying reason for the vulnerability.
Proof-of-concept: A report ought to embrace a proof-of-concept that successfully demonstrates the vulnerability. This could embrace video recordings, debugger output, or different related data. The proof-of-concept must be of top of the range and embrace the minimal quantity of code potential to show the difficulty.
Reproducibility: A report ought to embrace a step-by-step rationalization of how one can reproduce the vulnerability on an eligible gadget working the newest model. This data must be clear and concise and will enable our engineers to simply reproduce the difficulty and start engaged on a repair.
Proof of reachability: Lastly, a report ought to embrace proof or evaluation that demonstrates the kind of concern and the extent of entry or execution achieved.
*Observe: This standards could change over time. For the freshest data, please discuss with our public guidelines web page.
Moreover, beginning March fifteenth, 2023, Android will now not assign Frequent Vulnerabilities and Exposures (CVEs) to most reasonable severity points. CVEs will proceed to be assigned to crucial and excessive severity vulnerabilities.
We imagine that incentivizing researchers to supply high-quality reviews will profit each the broader safety neighborhood and our capacity to take motion. We sit up for persevering with to work with researchers to make the Android ecosystem safer.
If you want extra data on the Android & Google Machine Vulnerability Reward Program, please go to our public guidelines web page to study extra!
