New Android & Google Device Vulnerability Reward Program

Google’s Device Vulnerability Reward Program helps the company identify security flaws in its operating system and devices.

To promote additional security research in areas of their products that will have a greater impact and protect the users’ security, Google is launching a new quality rating system for security vulnerability reports.

“We are pleased to announce that we are implementing a new quality rating system for security vulnerability reports to encourage more security research in higher impact areas of our products and ensure the security of our users,” Google.

Based on the level of information given in the report, this system will assign vulnerability reports a High, Medium, or Low-quality rating. Further, Google is raising the incentives for the most critical flaws to $15,000.

“The highest quality and most critical vulnerabilities are now eligible for larger rewards of up to $15,000!” Google said.

Significant Elements of the Report

  • Accurate and detailed description

A report should correctly and completely characterize the vulnerability, including the name and version of the affected device.

A proof-of-concept that successfully illustrates the vulnerability should be included in a report comprising video records, debugging output, or other pertinent data.

A report should contain a step-by-step procedure for reproducing the vulnerability on an eligible device running the most recent version.

A report should include evidence or analysis demonstrating the type of problem and the level of access or execution obtained.

Google also said it would no longer assign a Common Vulnerabilities and Exposures (CVE) classification to concerns of moderate severity, only to those of critical and high severity.

“Starting March 15th, 2023, Android will no longer assign Common Vulnerabilities and Exposures (CVEs) to the most moderate severity issues. CVEs will continue to be assigned to critical and high-severity vulnerabilities”, Google.

Google believes encouraging researchers to produce high-quality reports would strengthen the overall security community and its ability to take appropriate action.

“We believe that this new system will encourage researchers to provide more detailed reports, which will help us address reported issues more quickly and enable researchers to receive higher bounty rewards,” Google.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus