Google challenges techies to find security bugs in Android 12, will pay up to Rs 7 crore for serious bugs
Android 12 recently began reaching a handful of phones but in beta and Google now wants your help in finding out bugs.
- Google is now recruiting security researchers to find security bugs in Android 12.
- The payouts for finding bugs, including exploits, are up to $1,000,000.
- Android 12 began rolling out in beta to select phones earlier this month.
Android 12 is now available on select phones but in the very initial beta stage. This means it is full of bugs that not only spoil your smartphone experience but can even tamper with the phone’s functions and make it unresponsive. And there are chances this build also has some vulnerabilities that affect the security of the OS and the phone. Google now wants techies to find and report these security bugs under the Android Security Rewards Program with rewards of over Rs 7 crore if they find serious bugs.
Security researchers who are interested in Google’s bug bounty programme will need to analyse the latest Android 12 Beta 1 and Android 12 Beta 1.1 builds for Pixel devices. In its Android Rewards blog, Google has said that anyone who finds a security vulnerability in the two new Android 12 builds between May 18 and June 18 will be eligible for a 50 per cent bonus over and above the standard payout. The Android Security Rewards Program covers bugs in code that runs on eligible devices and is not already covered by the company’s other reward programmes.
The eligible devices, as per Google, for the bug programme are:
- Pixel 5
- Pixel 4a
- Pixel 4a 5G
- Pixel 4
- Pixel 4 XL
- Pixel 3a
- Pixel 3a XL
- Pixel 3
- Pixel 3 XL
Google has also mentioned the kind of vulnerabilities that are deemed eligible under the bug bounty programme. These bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules. Some other vulnerabilities in non-Android code may also be eligible “if they impact the security of the Android OS.” Google will hand out bonus rewards for a full exploit chain, the details of which are given in detail on the Android Security Rewards Program website.
Since payouts for finding bugs depend on the severity of the vulnerability, Google has classified reward amounts according to the exploits found in different parts of the operating system. These rewards are for finding serious exploits:
|Pixel Titan M||Up to $1,000,000|
|Secure Element||Up to $250,000|
|Trusted Execution Environment||Up to $250,000|
|Kernel||Up to $250,000|
|Privileged Process||Up to $100,000|
Google will also pay up to $100,000 if a security researcher manages to bypass the lock screen on the phone. This involves bypass exploits achieved using software that can also affect other devices. Spoofing using synthetic biometric solutions such as fake masks or fingerprints will not be eligible for rewards.
On its website for the Android Security Rewards Program, Google has mentioned what it finds eligible and qualifying in the vulnerabilities that security researchers are expected to discover. “In general, we will reward critical, high, moderate, and low severity vulnerabilities,” said Google. Also, the security researchers will need to ensure they are finding bugs in an Android build that is not older than 30 days.
You can go to the website and check it out for yourself, in case you know your way around software codes.
Click here for IndiaToday.in’s complete coverage of the coronavirus pandemic.