2 min

Google has introduced what it calls the “Mobile Vulnerability Rewards Program”. The tech giant intends for the innovative bug bounty initiative to compensate security researchers for identifying flaws in the company’s Android applications. “We are thrilled to unveil the new Mobile VRP! We are actively seeking bug hunters to assist us in discovering and rectifying vulnerabilities in our mobile applications,” tweeted Google VRP.

The primary objective is to expedite the process of identifying and addressing weaknesses in first-party Android apps. Needless to say, these only include apps either developed or maintained by Google.

Included within the scope of the Mobile VRP are applications created by Google, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit, Nest Labs, Waymo, and Waze.

The other eligible apps

The list of eligible apps also encompasses what Google refers to as “Tier 1” Android applications. These encompass the following apps along with their package names:

  • Google Play Services (com.google.android.gms)
  • AGSA( com.google.android.googlequicksearchbox)
  • Google Chrome (com.android.chrome)
  • Google Cloud (com.google.android.apps.cloudconsole)
  • Gmail (com.google.android.gm)
  • Chrome Remote Desktop (com.google.chromeremotedesktop)

Qualifying vulnerabilities include those that permit arbitrary code execution (ACE), the theft of sensitive data, and weaknesses that bad actors can combine with other flaws to produce a similar impact.

This includes orphaned permissions, path traversal or zip path traversal flaws that enable arbitrary file write, intent redirections. Criminals can utilize these to launch non-exported application components. In addition, Google hands out bounties for the discovery of security bugs stemming from unsafe usage of pending intents.

Google pays its bounty hunters

Google has established a maximum reward of $30,000 for remote code execution without user interaction and up to $7,500 for bugs enabling remote theft of sensitive data, with many categories for other vulnerabilities.

In August 2022, Google announced its intention to compensate security researchers for discovering bugs in the latest versions of Google open-source software (Google OSS). This includes critical projects such as Bazel, Angular, Golang, Protocol Buffers, and Fuchsia.

Having initiated its first VRP in 2010, Google has awarded over $50 million to thousands of security researchers worldwide. The program has led to the discovery of more than 15,000 vulnerabilities.

Also read: OpenAI launches security bug bounty program for AI models