Bug hunters fail the third year in a row to win the first prize in the Android hacking program



[ad_1]

Security researchers have failed to win once again the first prize of the Google bug program on Android bugs. This is the third consecutive year that bug hunters are failing to win the biggest price that Google is willing to pay for any kind of security bug.

Anyone who has submitted a successful submission for a remote operating chain leading to a TrustZone compromise or Boot Started on an Android device could have earned up to $ 200,000, according to the Android Android security program, the name of the Android bug program from Google.

Also: dozens of iOS apps have collected and sold location data

Over the years, researchers have found it very difficult to set up remote operating chains that could compromise TrustZone or Boot Boot, two of the most powerful security features of Android OS.

In 2015, Google offered meager rewards in the first year of the program, but since the researchers did not offer remote exploits against TrustZone or Verified Boot, the company increased its rewards to $ 50,000 in June 2016 2017.

Project Zero, Google's internal team of security researchers, also ran its own competition between September 2016 and March 2017, during which they also offered a $ 200,000 reward for the same type of remote Android hacking. . .

TechRepublic: Google's Android Things is here to boost the security of IoT enterprise deployments

But despite not winning first prize in Google's Android bug bonus, researchers have been extremely prodigious in looking for other security vulnerabilities. In a blog post published today, Google said that since the launch of the program in 2015, the company had paid more than $ 3 million in rewards, or about $ 1 million a year.

In a retrospective of the past year, Jason Woloz and Mayank Jain of the Android Security & Privacy team reported that 99 different bug hunters had submitted 470 vulnerability reports in the past year.

The average payment per bug report approved was $ 2,600, while the average payment per researcher was $ 12,500, up 23% from last year.

This year, Guang Gong, a Chinese security researcher with Qihoo 360 Technology Co. Ltd.'s Alpha team, received $ 105,000 for a two-vulnerability remote operating chain (CVE-2017-5116). CVE-2017-14904). ) against a Google Pixel device. To date, this is Google's biggest gain for an Android bug.

CNET: Best Android Apps for 2018

But bug hunters have also been successful in another Android-related bug bug, the Google Play security rewards program.

Launched last year in October, this program rewards researchers for finding bugs in popular third-party Android apps. Google reported having accepted 30 bug reports in the past year and paid a combined amount of over $ 100,000.

Last but not least, just like last year, Google also released today a list of 250 models of Android smartphones that are currently running a version of the Android operating system running a security update for the last 90 days.

Google began publishing this list last year to recognize phone manufacturers who keep their devices up-to-date and provide a reference list for users who want to buy a device that regularly receives security updates.

This year's list includes devices from manufacturers such as ANS, ASUS, BlackBerry, Blu, BQ, Docomo, Essential, Fujitsu, General Mobile, HTC, Huawei, Itel, Kyocera, Lanix, Lava, LGE, Motorola, Nokia, OnePlus , Oppo, Positivo, Samsung, Sharp, Sony, Tecno, Vestel, Vivo, Vodafone, Xiaomi, ZTE and, of course, Google itself.

Related coverage:

[ad_2]
Source link