Security issues and system vulnerabilities are the bane of modern software, allowing malicious actors to wreak havoc. However, Google has a Vulnerability Rewards Program (VRP) encouraging security researchers to sniff out issues and keep products like Android safe for everyone. However, the company recently announced changes to the VRP, like a new CVE assignment system, and revised payouts for entities discovering serious bugs.
Like most companies keeping software safe for users, Google associates CVE IDs with bugs — unique publicly disclosed identifiers for issues, so researchers can coordinate their efforts to create fixes. Android expert Mishaal Rahman recently highlighted a new Google Security Blog post explaining that Android will no longer assign CVEs to most moderate severity issues, while high severity and critical vulnerabilities will still get CVE IDs. This means our coverage of security updates for Pixel phones will have fewer CVEs and issues worth mentioning, unless Google assigns IDs to moderate issues now and then.
How does Google decide what’s moderate severity, you ask? Assigning severity to the submitted issues is still Google’s discretion, but is governed by a rather well laid-out set of rules evaluating the vulnerability’s scope.
Not to be conflated with the three-point scale for bug severity, Google has a new three-point scale called the “quality rating system” integrated into the VRP. It encourages security researchers to submit well-researched bug reports, so they can be recreated and tackled efficiently. Google has laid down a list of expectations for elements a bug report should contain, including a detailed description, a thorough root-cause analysis, a demonstration of the issue, instructions to recreate it, and evidence of dangerous privileges bad actors could attain.
The search titan has also changed the maximum payout for discovery of critical Android and Google device vulnerabilities. Researchers could claim up to $15,000 if they find one and make a detailed submission. Meanwhile, full exploit chains like those bad actors use in the wild are eligible for up to $1,000,000 rewards. Moderate severity report submissions will be rewarded with up to $250, and there is no reward for the low severity reports.
Google says it has brought these Android VRP changes into effect as of March 15, 2023. The revised bug bounty rates are better now, but it is essential that the scales stay tipped this way, because such vulnerabilities also fetch high prices in marketplaces frequented by hackers and cybercriminals.
Google’s requirements for a good bug report aren’t too much to ask, but with inadequate information and no reward for smaller issues, one could argue a lot of the smaller issues will remain unpatched. The lack of CVEs for low-priority issues also means Google would be the only firm aware of those issues and in a position to fix them. Fewer CVEs are easier to keep track of, but we worry smaller issues without identifiers may just slip through the cracks.