[ad_1]
Google has announced that all security researchers who report Android 13 Beta vulnerabilities through its Vulnerability Reward Program (VRP) will earn a 50% bonus on top of the standard reward until May 26, 2022.
Bug hunters can fetch a maximum payout of $1.5 million for a full chain of remote code execution exploits on the Titan M used on Google Pixel phones running a Beta version of Android 13.
“Between April 26, 2022 and May 26, 2022, all security vulnerabilities reproduced exclusively in Android 13 Beta 1 are eligible for an additional 50% reward payment on top of the standard reward payment,” it says. the company on the Bug Hunters portal.
“The vulnerabilities must be unique to Android 13 and must not replicate on any other version of Android.”
Google asked those who submitted eligible vulnerabilities to include the phrase “Android 13 Beta” in the title of their reports to ensure they are correctly tagged for this paid bonus program.
The list of qualifying flaws includes those found in the Android Open Source Project (AOSP) and other operating system code, as well as OEM library and driver code, the system on chip (SoC), the Microcontroller Unit (MCU) and any other software used by Android. devices if they affect the security of Google devices and platforms.
Security vulnerabilities discovered in the Android 13 beta between 04/26/22 and 05/26/22 are eligible for a 50% bonus reward payment (up to a maximum of $1.5 million per vulnerability). full chain of remote code execution exploits on Titan M). See the Android Rewards page for full details.
– Google VRP (Google Bug Hunters) (@GoogleVRP) April 28, 2022
Researchers are also eligible for additional rewards if they provide full exploit chains that combine multiple security flaws and demonstrate arbitrary code execution, data exfiltration, or lock screen bypass (achieved through software).
The final bounty amount for all reported bugs is at the discretion of the Google bounty committee and depends on several factors, including (but not limited to) the availability of a buildable exploit, a detailed report, the attack vector, and the reliability. of the exploit.
“Exploit chains that are on specific developer preview builds of Android are eligible for an additional bounty bonus of up to 50%,” adds Google.
The maximum reward for exploiting vulnerabilities that allow code execution reaches up to $1 million for Pixel Titan M bugs without considering the Android preview payment bonus.
Data exfiltration bugs can also earn investigators a reward of up to $500,000 for sensitive data protected by the Pixel Titan M, while payments for bypassing the software-based lock screen can go up to $100,000.
Jan Keller, technical program manager for Google VRP, revealed in July 2021 that Google has paid bounties to more than 2,000 security researchers from 84 different countries for reporting more than 11,000 bugs since launching its first VRP more than ten years ago. years.
In total, Google had paid more than $29 million in bounties since January 2010, when it launched the Chromium vulnerability bounty program.
The company gave out a record $8,700,000 in rewards in 2021, including a $157,000 payout for a chain of exploits, the highest in Android VRP history.
[ad_2]
