Google Publishes List of 42 Phones Running Latest Android Security Updates

[CrAKeN]

 

Google published yesterday a list of 42 smartphone models from 12 vendors that run up-to-date Android OS versions with the latest security patches applied.

 

The list is meant to help boost sales for the listed models as a reward for vendors who focused on providing their customers with the security patches Google puts out each month via its Android Security Bulletin.

 

The table below includes all smartphone models that run a security update from the last two months:

 

Manufacturer	Device
BlackBerry	PRIV
Fujitsu	F-01J
General Mobile	GM5 Plus d, GM5 Plus, General Mobile 4G Dual, General Mobile 4G
Gionee	A1
Google	Pixel XL, Pixel, Nexus 6P, Nexus 6, Nexus 5X, Nexus 9
LGE	LG G6, V20, Stylo 2 V, GPAD 7.0 LTE
Motorola	Moto Z, Moto Z Droid
Oppo	CPH1613, CPH1605
Samsung	Galaxy S8+, Galaxy S8, Galaxy S7, Galaxy S7 Edge, Galaxy S7 Active, Galaxy S6 Active, Galaxy S5 Dual SIM, Galaxy C9 Pro, Galaxy C7, Galaxy J7, Galaxy On7 Pro, Galaxy J2, Galaxy A8, Galaxy Tab S2 9.7
Sharp	Android One S1, 507SH
Sony	Xperia XA1, Xperia X
Vivo	Vivo 1609, Vivo 1601, Vivo Y55

 

Besides the table above, Google said there are also over 100 smartphone models that run an Android version with a security patch from the last 90 days (three months). Despite this, the vast majority of today's smartphones run outdated versions of the Android OS.

 

Google quadruples reward for TrustZone or Verified Boot RCE

Furthermore, Google announced it would be paying an insane amount of money to researchers who deliver two types of bug reports.

 

• $200,000 to any security researcher who files a bug report for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise. Google was previously paying $50,000 for this type of bug report.
• $150,000 to any security researcher who files a bug report for a remote kernel exploit.  Google was previously paying $30,000 for this type of bug report.

The increase of this reward comes after a failed contest organized last year. In September 2016, Project Zero, a division of the Google security team specialized in finding zero-days, announced a contest that would have paid $200,000 (first place), $100,000 (second place), and $50,000 (third place) for a full exploit chain that would compromise Android devices.

 

The contest was so hard that no researcher submitted any bug reports, albeit some told Google they were working on it.

 

Google paid $1.5M+ for Android bug reports in the last 2 years

In addition to the increase of bug report payouts for the above two vulnerability types, Google also released details about its Android bug bounty program, known as the Android Security Rewards program.

 

According to the company, after two years, they've paid out over $1.5 million in rewards to 115 individuals (or security teams) for 450 valid vulnerability reports.

 

On average, the company paid $2,150 per successful bug report and $10,209 per researcher. The top earner is C0RE Team, who earned over $300,000 for 118 vulnerability reports.

 

Source

[DKT27]

I actually still do not understand what prevents Google from giving atleast security updates to relatively outdated phones, especially the official Google ones. Sure, you can use the excuses for OS updates, but just 3 years for allowing security updates from the date of the release of the phone is unfair I think.

[Togijak]

@DKT27

 

This way of Googles acting is one reason to use a rooted phon with Cyanogen | LineageOS ROM. I get my security update for my One+ One 2 days ago