Google Expands Security Rewards To Bugs In Android Devices 20
An anonymous reader sends news that Google has launched the Android Security Rewards program, which expands its bug bounty efforts to include vulnerabilities in the Android mobile operating system. At present, the program is fairly limited — only bugs found in the most recent version of Android are accepted, and only those that exist on the Nexus 6 phone or the Nexus 9 tablet. Google says that list will change in the future. "Eligible bugs include those in Android Open Source Project (AOSP) code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact Android’s overall security." Bounty amounts range from $500 for a moderate severity bug to $2,000 for a critical bug. The amounts can be increased by various multipliers if a security researcher is able to submit code that helps Google test or fix the issue.
I found a problem with the Nexus 6 (Score:4, Funny)
It doesn't even know it's an android.
Hmmm ... (Score:2)
So, is it more lucrative to claim the bounty, or exploit the bug?
Seems to me you can sell it to shady people for more money.
Re: (Score:2)
So, is it more lucrative to claim the bounty, or exploit the bug?
Seems to me you can sell it to shady people for more money.
Only if you're the sort to do that.
It's the norm across the whole industry that the black market in vulnerabilities is more lucrative than the "white hat" side. And yet, it appears that the white hat industry is far larger -- and probably more effective. Why? Multiple reasons: Most people want to be honest, many of them like the public recognition they get from publishing, and there are a lot of risks in dealing with the sorts of shady people who pay lots of money for vulnerabilities. The net is that the
Re: (Score:2)
A computer bug can be a vary poor investment. To use it means exposing it to discovery and that could mean serious consequences. In fact others might well be fully aware of the bug and simply be actively monitoring it's activity, this as bugs often remain unfixed and secret for quite some time after discovery. Accessory before the fact crimes can have quite severe penalties and the claim of being unaware of intent is likely to fail.
Obviously the biggest benefit in detecting and fixing bugs is not the imm
Re: (Score:2)
The point is to give the Fandroids some extra marketing material to share with us.
Why bother. You can't even control perms for apps! (Score:2)
Until you can block simple card game apps from uploading your contacts to China or the NSA, this is pointless.
Re: (Score:2)
It's easy to block them. You just simply don't install them at all. If people weren't so apt to just click on "yes" for everything then we wouldn't have a problem with apps like this. There's a million card games out there . You don't have to install the ones that ask for permissions they have no business asking for. Even if you were allowed to block certain permissions for certain apps, most users would probably be coaxed into allowing those permissions if it meant they got a few virtual game dollars in
Thats fixed in next version (Score:2)
Whatever the next version of Android is they just talked about at IO, Google decided to copy iOS permission model entirely so finally, people will be able to only grant access to contacts to the app it makes sense for when it makes sense.
Best part is how easy it is to collect (Score:2)
If you do find a bug no need to report it, Google will already know you found it, and additionally will automatically deposit the reward into whatever bank account Google determines you most need the cash.
Therefore, if you are not yet rich, you have not yet found a valid bug.
Soo (Score:1)