Google Launches Android Security Rewards Program
Android as an OS is a fair mixture of robustness and versatility. From supporting a wide range of hardware options to allowing OEM’s to modify the base and not redistribute the code, Android has clicked with users and manufacturers alike.
But as with everything else in the world, Android is not perfect. It certainly does not find ready adoption from enterprises, with security on the OS being one of their major gripes. Google had taken its first step in encouraging wider scale enterprise adoption with Android for Work, and now it has taken another step in a related direction.
With the launch of the Android Security Rewards Program, Google aims to encourage the work of security researchers in making Android more secure. The Program offers monetary rewards as well as public recognition for contributions made towards Android security as a result of discovering vulnerabilities and providing test cases and fixes.
The Rewards Program is limited to vulnerabilities discovered in the latest available Android version available for Nexus smartphones and tablets on sale via the Google Store in the USA, which narrows it down to the Nexus 6 and Nexus 9 as of now, but leaves out the Nexus Player as well as Android Wear. Vulnerabilities include bugs in AOSP code, OEM code in libraries and drivers, kernel code, TrustZone OS and modules. This also excludes vulnerabilities in the Non-AOSP apps developed by Google as these are covered under different programs.
The monetary rewards for vulnerabilities depends on their severity, with Moderate severity bugs getting a $500 reward while Critical severity bugs stand a chance to gain $2,000. As further incentive, there are multipliers for more research work done in the form of test code of fixes, with the rewards reaching as high as $8,000 on these lines. Additionally, rewards for more complex scenarios can reach as much as $30,000, on the discretion of the reward panel. Good Guy Google also offers the option to donate to an established charity instead, and will double the donation amount if this option is exercised.
The FAQ page for Android Security Rewards programs also answers some immediate questions. For instance, bugs in custom roms on Nexus devices are not eligible, and the “eligibility” of the bug will be decided by Google only after the details are disclosed to Google, so there are a fair few grey areas.
Nonetheless, an initiative like this only helps to make Android more secure. It also avoids bad press for the OS as rewards are not given if the vulnerabilities are disclosed to third parties before Google gets a chance to review and subsequently fix such vulnerabilities.
What do you think about this reward initiative by Google? Are the efforts enough to help make Android more “secure”? Let us know your thoughts in the comments below!