Vulnerability-reporting platform HackerOne has paid out a US $20,000 bounty after a researcher discovered he was able to access some other users’ bug reports on HackerOne’s website.
Google has expanded the Android Security Rewards (ASR) program and increased the bug bounties it’s willing to award for certain kinds of exploits. About the Android Security Rewards Program ASR covers security vulnerabilities discovered in the latest available Android versions for Pixel phones and tablets, which are currently Pixel 4, Pixel 3a and Pixel 3a XL, and Pixel 3 and Pixel 3 XL. “Eligible bugs include those in AOSP code, OEM code (libraries and drivers), … More
The post Google ups bug bounties for Android flaws, exploits appeared first on Help Net Security.
Google announced that it will increase bug bounty rewards for Android, it will pay up to $1.5 million for bugs that allow to hack new Titan M security chip.
At the end of 2018, Google announced its Titan M dedicated security chip that is currently installed on Google Pixel 3 and Pixel 4 devices. The chip was designed to process sensitive data and processes, include Verified Boot,
Now Google announced that it will pay up to $1 million
The bug hunters can receive up to $1.5 million for reporting exploit chain working against a preview version of the Android OS.
The decision of Google to increase bug bounty payouts is the response of the tech giant to bug bounty programs operated by zero-day brokers like Zerodium that are offering greater rewards for similar issues. In September, Zerodium has updated the price list for both Android and
A zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.
“Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction,” explained Zerodium’s CEO Chaouki Bekrar.
“We will reward extra for a full exploit chain (typically multiple vulnerabilities chained together) that demonstrates arbitrary code execution, data
- Whether there is a detailed writeup describing how the exploit works.
- The initial attack vector (ie. remote exploitation versus local).
- Whether the exploit is device- or build-specific, or whether it works across a broad set of builds and devices.
- The amount of user interaction required for the exploit to work.
- Whether the user could feasibly detect that an exploit is in progress or has completed.
- How reliable the exploit is.
- Exploits chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus.
Below the maximum exploit rewards for each type of exploit:
Code execution reward amounts
|Pixel Titan M||Up to $1,000,000|
|Secure Element||Up to $250,000|
|Trusted Execution Environment||Up to $250,000|
|Kernel||Up to $250,000|
|Privileged Process||Up to $100,000|
The maximum reward for data of high-value data secured by Pixel Titan M is $500,000 while the maximum reward for Lockscreen bypass is up to $100,000.
Additional info is available on Android Security Rewards Program Rules page.
(SecurityAffairs – Titan M, Android)
The post Google will pay up to $1.5m for full chain RCE for Android on Titan M chips appeared first on Security Affairs.
GitHub, the world’s largest open source code repository and leading software development platform, has launched GitHub Security Lab. “Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” said Jamie Cool, VP of Product Management, Security at GitHub. GitHub Security Lab GitHub Security Lab is a program aimed at researchers, maintainers, and companies that want to contribute to the overall security of open source software. Current … More
The post GitHub Security Lab aims to make open source software more secure appeared first on Help Net Security.