Android Security Rewards Program
Covers:
Rewards as of June 2015:
Reward amounts
The reward amount depends on the severity of the vulnerability and the quality of the report. A bug report that includes reproduction code will get more than a simple report pointing out vulnerable code. A well-written CTS test and patch will result in an even higher reward.
Our base reward amounts for vulnerability severity are typically:
- Critical – $2,000
- High – $1,000
- Moderate – $500
We’ll reward up to 1.5x the base amount if the bug report includes standalone reproduction code or a standalone test case (e.g., a malformed file). If the bug report includes a patch that fixes the issue or a CTS test that detects the issue, we’ll apply up to a 2x reward modifier. If there is both a CTS test and a patch, there’s a potential 4x reward modifier. Keep in mind that submitted CTS tests and patches must apply cleanly to AOSP’s master branch and comply with Android’s Coding Style Guidelines to be eligible for these additional reward amounts.
This table shows an overview of the reward schedule for typical rewards:
Severity Bug Test case CTS / patch CTS+Patch Critical $2,000 $3,000 $4,000 $8,000 High $1,000 $1,500 $2,000 $4,000 Moderate $500 $750 $1,000 $2,000 Low $0 $333 $500 $1,000 Besides these reward levels, we offer additional rewards for functional exploits:
- An exploit or chain of exploits leading to kernel compromise from an installed app or with physical access to the device will get up to an additional $10,000. Going through a remote or proximal attack vector can get up to an additional $20,000.
- An exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from an installed app or with physical access to the device will get up to an additional $20,000. Going through a remote or proximal attack vector can get up to an additional $30,000.
The final amount is always chosen at the discretion of the reward panel. In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.
We understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you do so, we will double your donation – subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
You need to decide what you want to earn per hour and then decide if this reward program meets your needs.
Personally I would call the US Navy about its recently advertised zero-day program. (officially withdrawn but it doesn’t hurt to ask)
The Whitehouse should establish a public auction for zero-day exploits. Vulnerabilities would have more publicity and buyers would be on a fairer footing. Let the free market decide what vulnerabilities are worth.