According to the latest report, Google has announced that it is implementing a new “quality rating system” for security vulnerability reports submitted as part of its Android and Google Devices Vulnerability Rewards Program (VRP). Google will rate vulnerability reports as High, Medium, or Low quality based on the level of detail provided in the report.
They are looking for reports to come with:
- An accurate and detailed description
- A root cause analysis
- A proof-of-concept
- A step-by-step explanation on how to reproduce it
- And evidence that shows the type of issue and level of access or execution it achieves
The “highest quality and most critical vulnerabilities” are now eligible for payouts of up to $15,000. In addition, Google says that starting March 15, 2023, Android will no longer assign CVEs to “most” moderate severity issues. CVEs will continue to be assigned to critical and high-severity vulnerabilities.