Google recently announced significant updates to its Vulnerability Reward Program for Android OS and devices. As elaborated, Google will now employ new rating criteria for the vulnerability reports ensuring better security impact.
Google Android, Devices Vulnerability Reward Rules Update
As per a new post from Sarah Jacobus, from Google’s Weakness Prizes Group, the tech goliath is carrying moves up to its Weakness Award Program covering the Android working framework and Android gadgets.
In particular, the most recent updates rotate around how the strong handles different weakness reports. For example, the firm will currently rate the bug reports as High, Medium, or Bad quality, taking into account the subtleties given in the reports. This new boundary will urge the security specialists to submit nitty gritty reports, which, thus, will work with Google in better remediation of the security issues.
Regarding Google’s requirements for the perfect vulnerability report, the post mentions the following parameters.
- Details about the vulnerability with the respective device(s) name and version.
- Full root cause analysis of the vulnerability alongside the respective source code that needs the patch.
- Clear proof-of-concept in understandable formats (videos, debugger reports, etc.).
- Step-by-step guide for the developers to reproduce the vulnerability.
- Information about the level of access or execution gained after exploiting the vulnerability.
While these boundaries could sound overwhelming, Google has declared one more advantage to additionally propel the scientists to submit point by point reports. In particular, the firm has expanded the bug awards to $15,000 for the most basic weaknesses with the greatest reports. Plus, one more significant update to the current VRP boundaries is the impediment of CVE task to weaknesses. Google will never again allot CVEs to direct seriousness blemishes. All things being equal, it will just CVE IDs to basic and high-seriousness weaknesses. While the new standards go set up, Google will feature any further changes to the VRP rules on the individual public principles page. Intrigued scientists should continue to really take a look at this page to remain refreshed with the most recent principles prior to presenting their bug reports.