As know-how continues to advance, so do efforts by cybercriminals who look to use vulnerabilities in software program and gadgets. That is why at Google and Android, safety is a high precedence, and we’re always working to make our merchandise safer. A method we do that is via our Vulnerability Reward Packages (VRP), which incentivize safety researchers to search out and report vulnerabilities in our working system and gadgets.

We’re happy to announce that we’re implementing a brand new high quality score system for safety vulnerability stories to encourage extra safety analysis in increased influence areas of our merchandise and make sure the safety of our customers. This technique will charge vulnerability stories as Excessive, Medium, or Low high quality based mostly on the extent of element supplied within the report. We imagine that this new system will encourage researchers to offer extra detailed stories, which is able to assist us tackle reported points extra shortly and allow researchers to obtain increased bounty rewards.

The very best high quality and most crucial vulnerabilities at the moment are eligible for bigger rewards of as much as $15,000!

There are just a few key components we’re in search of:

Correct and detailed description: A report ought to clearly and precisely describe the vulnerability, together with the system title and model. The outline needs to be detailed sufficient to simply perceive the problem and start engaged on a repair.

Root trigger evaluation: A report ought to embrace a full root trigger evaluation that describes why the problem is going on and what Android supply code needs to be patched to repair it. This evaluation needs to be thorough and supply sufficient info to know the underlying reason for the vulnerability.

Proof-of-concept: A report ought to embrace a proof-of-concept that successfully demonstrates the vulnerability. This could embrace video recordings, debugger output, or different related info. The proof-of-concept needs to be of top of the range and embrace the minimal quantity of code potential to show the problem.

Reproducibility: A report ought to embrace a step-by-step clarification of methods to reproduce the vulnerability on an eligible system operating the most recent model. This info needs to be clear and concise and will permit our engineers to simply reproduce the problem and start engaged on a repair.

Proof of reachability: Lastly, a report ought to embrace proof or evaluation that demonstrates the kind of difficulty and the extent of entry or execution achieved.

*Be aware: This standards could change over time. For the freshest info, please consult with our public guidelines web page.

Moreover, beginning Might fifteenth, 2023, Android will not assign Widespread Vulnerabilities and Exposures (CVEs) to most reasonable severity points. CVEs will proceed to be assigned to essential and excessive severity vulnerabilities.

We imagine that incentivizing researchers to offer high-quality stories will profit each the broader safety group and our potential to take motion. We sit up for persevering with to work with researchers to make the Android ecosystem safer.

If you need extra info on the Android & Google Machine Vulnerability Reward Program, please go to our public guidelines web page to study extra!