Google and Android have introduced new rules for their vulnerability reward program (VRP) to encourage bug hunters to provide more comprehensive submissions. The new rules state that vulnerability reports submitted to the Android and Google VRP will be rated on their accuracy and detail as they describe how potential vulnerabilities in Google’s Android system can be exploited. Reports will also be judged on the analysis of their root cause, a demonstration of a proof of concept, and evidence of reproducibility. The bug bounty prize has also been increased to $15,000, and reports will now be categorized as “High,” “Medium,” or “Low” quality based on these elements.
Google Security has also announced that from March 2023, Android will no longer assign Common Vulnerabilities and Exposures (CVEs) to most moderate severity issues. CVEs will continue to be assigned to critical and high severity vulnerabilities that put users and their data at risk.
Casey Ellis, the founder and chief technology officer of Bugcrowd, has praised Google’s move to define the elements of a high-quality vulnerability disclosure. The new VRP rules aim to help educate the hacker community on “the things which make communication more effective.” Ellis has noted that the power of crowdsourcing brings variability in how vulnerability submitters communicate and the effectiveness of the report at communicating the risk to those who need to fix it.
Google’s VRP has paid out a record-setting $12 million in bug bounties in 2022 alone. The new rules are expected to encourage more bug hunters to submit comprehensive submissions, making it easier for Google to identify and fix vulnerabilities before they are exploited by cybercriminals.
The move is part of Google’s ongoing efforts to improve the security of Android and its user’s data. Google has previously introduced measures to enhance Android’s security, including restricting the ability of apps to access user data, using machine learning to detect and remove malware from the Play Store, and introducing 2FA for its accounts.
The importance of bug bounty programs and disclosure policies cannot be overstated, especially with the rise of cyberattacks targeting companies and individuals worldwide. Enabling bug hunters to report vulnerabilities based on clear guidelines will help organizations identify and eliminate these vulnerabilities before they can be exploited.
The new rules announced by Google Security are expected to set an example for other companies and organizations to follow. By defining what constitutes a high-quality vulnerability disclosure, companies like Google and Android can encourage more bug hunters to submit comprehensive submissions and improve the effectiveness of their vulnerability disclosure programs.