Bug bounties are a fairly common way for companies to improve the security of software, but Google is expanding...
the scope of its rewards to include prizes for mobile security development.
To that end, Google has announced its new Android Security Rewards program, which will run in tandem with other Google patch rewards programs. This new program offers cash prizes paying "for each step required to fix a security bug, including patches and tests."
The program covers bugs found in Android Open Source Project (AOSP) code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. To start, only bugs found on Google devices -- Nexus 6 and Nexus 9 -- are eligible, because those are more likely to be bugs in the Android base that would affect the ecosystem as a whole.
Google will not only be offering prizes for bugs found, but will also offer higher rewards for standalone reproduction code or a standalone test case, a Compatibility Test Suite (CTS) test that detects the issue, or submissions including both a CTS test and a patch.
According to Tod Beardsley, engineering manager at Boston-based Rapid7 LLC, this is an important step because it changes the emphasis from only rewarding security research to also rewarding security development.
"Both the announcement and the program details go into some depth on the non-vulnerability reporting actions that warrant a reward, such as patch development and CTS test procedures," Beardsley said. "Most bug bounties stress finding and reporting bugs, while Google is stressing more of an end-to-end secure development program in an open source platform."
Since 2010, Google has paid out more than $4 million in rewards through its vulnerability disclosure programs -- $1.5 million in 2014 alone.
Prizes in the new Android Security Rewards program will scale depending on the impact on the system, with the largest rewards going to researchers who demonstrate how to work around Android’s platform security features, like ASLR and sandboxing. For example, if a researcher finds a bug and produces a test case, patch and exploit for a critical remote issue, the payout could be around $38,000.
Beardsley also wondered what impact this new program will have on the testing space as a whole.
"It’ll be interesting to see where this goes, since this bleeds over into rewarding more traditional quality assurance (QA) work as well as security work," Beardsley said. "While QA is a related field to vulnerability research, it’s very much a different discipline with different expectations of repeatability and reliability."
Learn more about the skepticism surrounding bug bounty programs.