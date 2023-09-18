Summary Google is increasing scrutiny of external contributions to the Android Open Source Project (AOSP) to prevent security vulnerabilities and bugs from making it to AOSP.

All external code contributions to AOSP now require approval from two Google reviewers.

The review process helps sift through incoming code, identify beneficial contributions, and reduce security issues, without limiting who can contribute to AOSP.

Most of the Android Open Source Project (AOSP) is licensed under Apache 2.0, which means that anyone can modify its code. It’s this type of model that also allows AOSP to grow through internal and external contributions alike. Google has developed a guide to help people understand how to contribute code to AOSP, and it’s even used some of this content to build new features. However, one drawback to this approach is simultaneously giving bad actors an easy way to thwart the entire system. In response to security concerns, Google is increasing its scrutiny of external contributions.

Android expert Mishaal Rahman explains that all external code contributions to AOSP will now need two Google reviewers to review and approve them prior to submission. The goal is to prevent security vulnerabilities and bugs embedded within code from making it to AOSP — not to limit who can submit code to AOSP. In fact, Rahman specifies that non-Googlers are not being blacklisted from contributing. Instead, external code will simply be subject to review, giving those directly affected a chance to determine whether it should be integrated. It’s a more thorough vetting process, but it ultimately helps sift through incoming code, identify what would be most beneficial, and reduce security issues. At the time of writing, Google had yet to respond to requests for comments about the change.

Source: Google

The new requirement could prevent several issues surrounding vulnerability, which Google has faced in the past. Just last year, a bug living within AOSP was discovered and faulted for creating a flaw that allowed hackers to bypass Android lock screens. David Schütz was the person responsible for detecting it, and he received $70,000 from Google for reporting it.

Google notably has a bug bounty program known as the Vulnerability Rewards Program (VRP), which launched in 2010. Since then, more than 11,000 bugs have been spotted by people who are on the hunt for them in exchange for cash. Google has paid out millions of dollars to these sleuths over the years, but perhaps there will be less need with the review process in place.

If you do find an urge to join the hunt, Google has gone as far as to create Bug Hunter University, which provides everything you need to get started. Some of the main areas where Google needs hunters are Google Cloud (Agent Assist), Android (applications), the Google Apps Script Editor, and Bard. There is also a leaderboard where you can see how you stack up against other bug hunters, if you have a competitive streak.