Moreover, breaking the TrustZone or Verified Boot on Android will net payments of $50,000 instead of the previous $30,000, while the reward for a proximal or remote kernel exploit is increased from $20,000 to $30,000.
Advertisement
The reward for an exploit or chain of exploits leading to a TrustZone or Verified Boot compromise via an installed app or with physical access to the device has remained $30,000.
Google kicked off Android Security Rewards last June, a month before the first Stagefright bugs, which triggered Google’s monthly Android patches, and put pressure on Android device makers to actually deliver those patches to end-user devices.
Google is constantly trying to improve the program and has made some new changes to all reports submitted after 1st of June 2016. The program essentially asks researchers and developers for submitting bugs in its products and services, and in return Google pays them in cash for relevant high quality reports.
Going forward, Google said it will now pay 33 percent more for “high-quality” vulnerability reports with proof of concept.
Google received as many as 250 vulnerability reports a year ago, out of which 25 percent were received in code that was developed and used outside of the Android Open Source Project.
In total, over 250 qualifying vulnerability reports were submitted by 82 individuals. Meanwhile, the payout for a critical vulnerability with proof of concept will move from $3,000 to $4,000. One, @heisecode, received $75,750 for 26 vulnerability reports.
With all these, researchers were unfortunately unable to locate any bugs in the most secured and important zone of Android, TrustZone or Verified Boot and Google has chose to increase the rewards so as to entice researchers even more towards finding out vulnerabilities in that area.
In addition Google is also raising the stakes for a couple of specific exploits.
Advertisement
With Android powering the majority of mobile devices now in use, security is of utmost importance.
