Say (completely hypothetical!) there was an easy unpriv -> root privesc added by a Google employee to the 5.13 kernel, does the Google VRP pay for an exploit/report/fix even if they don't currently use the kernel (presumably)?
Conversation
Based on: sites.google.com/site/bughunter it looks like the answer is no, incentivizing the vuln sticking around until it does affect an Android release?
1
1
Replying to
They wouldn't pay for a recent mainline kernel bug.
Official rule is that it has to impact Pixels to qualify. In practice, it's broader and they would probably pay a bounty if the kernel bug was in Android common kernel tagged releases shipping on devices but not yet Pixels.
1
2
It doesn't just have to be in the kernel version but needs to impact them. A lot of severe bugs in other environments won't be in code that's enabled or exposed so they won't pay for them.
They don't have unprivileged user namespaces, BPF, etc. and netd is considered privileged.
1
A new mainline bug would usually only qualify without 1-2 years of delay if it got backported to an LTS. Not clear how long it would need to be in an LTS branch to qualify. I don't think they'd pay out for the LTS branches that aren't really used in production yet either.
1
2
Replying to
I think they might get the latency for shipping kernel.org LTS down to ~4 weeks once they're using GKI.
Google doesn't currently believe in shipping Qualcomm's MSM kernel LTS though. They still try to cherry-pick those and even miss some fixes they put in bulletins.
1
Qualcomm has their own bug bounty program:
qualcomm.com/company/produc
Google used to pay bounties for the MSM drivers and it was probably the majority of their bug bounties. I don't really think Google pays bounties for those anymore unless it's because they missed a fix, etc.
