Google is going to make vulnerabilities found at Android partners public

Google is going to disclose information about vulnerabilities it finds in manufacturers’ Android phones. With the Android Partner Vulnerability Initiative, Google wants to provide more openness about vulnerabilities. The publication will follow after the bug has been resolved. The new program, APVI for short, is not a responsible disclosure program for reporting vulnerabilities, but a registry where Google itself provides more information about bugs it has found itself. Specifically, this concerns vulnerabilities in devices from manufacturers that make Android devices. “The APVI program was set up to provide transparency to users about problems that we have discovered affecting Android partner devices,” Google writes in a blog post. The program is part of the Google Android Security & Privacy team. That team previously started the Security Rewards Program, which also includes external bug bounty hunters. Such bugs were included in the Android Security Bulletin. Fixes for vulnerabilities contained therein should be adopted by all Android manufacturers. “Until recently, we had no way of disclosing issues unique to a smaller number of specific Android OEMs,” said Google. Google has already discovered several bugs. For example, it would be a web browser that is included on many devices, where a built-in password manager could leak passwords. On other devices it was possible to bypass permissions and install MOTs without user intervention. Google has passed those vulnerabilities on to the manufacturers. Once the fixes are in place, Google will publish the details. Google uses the ISO 29157: 2018 guideline for this, which prescribes conditions for responsible disclosure. Google does not write in the blog post which manufacturers are involved. The company does refer to the bug tracker stating that it would include ZTE. You can also see how Huawei and Oppo devices had vulnerabilities.