Android smartphone

Google published yesterday a list of 42 smartphone models from 12 vendors that run up-to-date Android OS versions with the latest security patches applied.

The list is meant to help boost sales for the listed models as a reward for vendors who focused on providing their customers with the security patches Google puts out each month via its Android Security Bulletin.

The table below includes all smartphone models that run a security update from the last two months:

Manufacturer
Device
BlackBerry
PRIV
Fujitsu
F-01J
General Mobile
GM5 Plus d, GM5 Plus, General Mobile 4G Dual, General Mobile 4G
Gionee
A1
Google
Pixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9
LGE
LG G6, V20, Stylo 2 V, GPAD 7.0 LTE
Motorola
Moto Z, Moto Z Droid
Oppo
CPH1613, CPH1605
Samsung
Galaxy S8+, Galaxy S8, Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6 Active, Galaxy S5 Dual SIM, Galaxy C9 Pro, Galaxy C7, Galaxy J7, Galaxy On7 Pro, Galaxy J2, Galaxy A8, Galaxy Tab S2 9.7
Sharp
Android One S1, 507SH
Sony
Xperia XA1, Xperia X
Vivo
Vivo 1609, Vivo 1601, Vivo Y55

Besides the table above, Google said there are also over 100 smartphone models that run an Android version with a security patch from the last 90 days (three months). Despite this, the vast majority of today's smartphones run outdated versions of the Android OS.

Google quadruples reward for TrustZone or Verified Boot RCE

Furthermore, Google announced it would be paying an insane amount of money to researchers who deliver two types of bug reports.

  • $200,000 to any security researcher who files a bug report for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise. Google was previously paying $50,000 for this type of bug report.
  • $150,000 to any security researcher who files a bug report for a remote kernel exploit.  Google was previously paying $30,000 for this type of bug report.

The increase of this reward comes after a failed contest organized last year. In September 2016, Project Zero, a division of the Google security team specialized in finding zero-days, announced a contest that would have paid $200,000 (first place), $100,000 (second place), and $50,000 (third place) for a full exploit chain that would compromise Android devices.

The contest was so hard that no researcher submitted any bug reports, albeit some told Google they were working on it.

Google paid $1.5M+ for Android bug reports in the last 2 years

In addition to the increase of bug report payouts for the above two vulnerability types, Google also released details about its Android bug bounty program, known as the Android Security Rewards program.

According to the company, after two years, they've paid out over $1.5 million in rewards to 115 individuals (or security teams) for 450 valid vulnerability reports.

On average, the company paid $2,150 per successful bug report and $10,209 per researcher. The top earner is C0RE Team, who earned over $300,000 for 118 vulnerability reports.