Google is expanding its Android Security Rewards (ASR) program and increasing reward amounts, by introducing a top prize of US$1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, the search engine giant will release a specific program offering a 50 percent bonus for exploits found on specific developer preview versions of Android, offering a top prize of $1.5 million.
The rewards program was created in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe. Over the past 4 years, Google has awarded over 1,800 reports, and paid out over four million dollars.
The Android Security Rewards program recognizes the contributions of security researchers who invest their time and effort in helping Google make Android more secure. The reward level is based on the bug severity and increases for complete reports that include reproduction code, test cases, and patches.
Android Security Rewards covers bugs in code that runs on eligible devices and isn't already covered by other reward programs at Google. Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.
Earlier this year, Gartner rated the Pixel 3 with Titan M as having the most “strong” ratings in the built-in security section out of all devices evaluated. Due to this, Google has created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.
In addition to exploits involving Pixel Titan M, Google has added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass. These rewards go up to $500,000 depending on the exploit category.
During this year, Google made total payouts over the last 12 months to the tune of over $1.5 million. Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46 percent increase from last year), and the top reward that was paid out this year was $161,337.
The highest reward paid out to a member of the research community was for a report from Guang Gong (@oldfresher) of Alpha Lab, Qihoo 360. This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device.
Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337. The $201,337 combined reward is also the highest reward for a single exploit chain across all Google VRP programs. The Chrome vulnerabilities leveraged in this report were fixed in Chrome 77.0.3865.75 and released in September, protecting users against this exploit chain.
No comments:
Post a Comment