Google recently announced significant updates to its Vulnerability Reward Program for Android OS and devices. As elaborated, Google will now employ new rating criteria for the vulnerability reports ensuring better security impact.
Google Android, Devices Vulnerability Reward Rules Update
According to a recent post from Sarah Jacobus, from Google’s Vulnerability Rewards Team, the tech giant is bringing upgrades to its Vulnerability Reward Program covering the Android operating system and Android devices.
Specifically, the latest updates revolve around how the firm handles various vulnerability reports. For instance, the firm will now rate the bug reports as High, Medium, or Low quality, considering the details given in the reports. This new parameter will encourage the security researchers to submit detailed reports, which, in turn, will facilitate Google in better remediation of the security issues.
Regarding Google’s requirements for the perfect vulnerability report, the post mentions the following parameters.
- Details about the vulnerability with the respective device(s) name and version.
- Full root cause analysis of the vulnerability alongside the respective source code that needs the patch.
- Clear proof-of-concept in understandable formats (videos, debugger reports, etc.).
- Step-by-step guide for the developers to reproduce the vulnerability.
- Information about the level of access or execution gained after exploiting the vulnerability.
While these parameters might sound daunting, Google has announced another perk to further motivate the researchers to submit detailed reports. Specifically, the firm has increased the bug rewards to $15,000 for the most critical vulnerabilities with the highest quality reports.
Besides, another important update to the existing VRP parameters is the limitation of CVE assignment to vulnerabilities. Google will no longer assign CVEs to moderate-severity flaws. Instead, it will only CVE IDs to critical and high-severity vulnerabilities.
While the new criteria go in place, Google will highlight any further changes to the VRP rules on the respective public rules page. Interested researchers must keep checking this page to stay updated with the latest rules before submitting their bug reports.
Let us know your thoughts in the comments.