Google Debuts Android Bug Bounty Program

With mobile malware persisting as a top-of-mind concern for enterprises, Google has kicked off the Android Security Rewards program.

The program is for vulnerabilities affecting Nexus phones and tablets available for sale on Google Play (currently Nexus 6 and Nexus 9). Google will pay for each step required to fix a security bug, including patches and tests. This makes Nexus the first major line of mobile devices to offer an ongoing vulnerability rewards program.

That vulnerability program will focus on the company’s own Nexus line of products, but the Samsung Galaxy line and other gadgets won’t be left out in the cold. The largest rewards are available to researchers that demonstrate how to work around Android’s platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users.

“Our program offers even larger rewards to security researchers that invest in tests and patches that will make the entire ecosystem stronger,” said Jon Larimer, Android security engineer, in a blog.

Android will also continue to participate in Google’s Patch Rewards Program, which pays for contributions that improve the security of Android (and other open-source projects).

Google has had bug bounty programs for other products, like Chrome, since 2010: So far, the internet giant has paid more than $1.5 million to security researchers.

“We’ve also sponsored mobile pwn2own for the last 2 years, and we plan to continue to support this and other competitions to find vulnerabilities in Android. As we have often said, open security research is a key strength of the Android platform,” Larimer said. “The more security research that's focused on Android, the stronger it will become.”

What’s Hot on Infosecurity Magazine?