The Android Security Rewards program recognizes the contributions of security researchers who invest their time and effort in helping us make Android more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team. The reward level is based on the bug severity and increases for complete reports that include reproduction code, test cases, and patches.
Scope of program
This program covers security vulnerabilities discovered in the latest available Android versions for Pixel phones and tablets. This set of devices will change over time, but as of November 1, 2019 this covers:
Android Security Rewards covers bugs in code that runs on eligible devices and isn’t already covered by other reward programs at Google. Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.
Non-AOSP apps developed by Google and published in Google Play may be covered under our Google VRP, which also covers server-side issues. Vulnerabilities in Chrome may be handled under the Chrome Rewards program.
At this time, vulnerabilities that only affect other Google devices (such as Android Wear or Project Tango) are not eligible for Android Security Rewards.
Qualifying exploit chains
We will reward extra for a full exploit chain (typically multiple vulnerabilities chained together) that demonstrates arbitrary code execution, data exfiltration, or a lockscreen bypass. The actual reward amount is at the discretion of the rewards committee and depends on a number of factors, including (but not limited to):
- Whether there is a detailed writeup describing how the exploit works.
- The initial attack vector (ie. remote exploitation versus local).
- Whether the exploit is device- or build-specific, or whether it works across a broad set of builds and devices.
- The amount of user interaction required for the exploit to work.
- Whether the user could feasibly detect that an exploit is in progress or has completed.
- How reliable the exploit is.
- Exploits chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus.
Maximum exploit rewards for each type of exploit are listed below:
|Pixel Titan M||Up to $1,000,000|
|Secure Element||Up to $250,000|
|Trusted Execution Environment||Up to $250,000|
|Kernel||Up to $250,000|
|Privileged Process||Up to $100,000|
See Process types for category descriptions.
Data exfiltration reward amounts
|High value data secured by Pixel Titan M||Up to $500,000|
|High value data secured by a Secure Element||Up tp $250,000|
Lockscreen bypass reward amount
|Lockscreen bypass||Up to $100,000|
This reward is applicable to lockscreen bypass exploits achieved via software that would affect multiple or all devices. Spoofing attacks that use synthetic biometric data (fake masks, fingerprints, etc.) are not eligible for reward.