Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new bug bounty program that will pay security researchers for flaws found in the company's Android applications.
"We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications," Google VRP tweeted.
As the company said, the main goal behind the Mobile VRP is to speed up the process of finding and fixing weaknesses in first-party Android apps, developed or maintained by Google.
Applications in scope for the Mobile VRP include those developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.
The list of in-scope apps also contains what Google describes as "Tier 1" Android applications, which includes the following apps (and their package names):
- Google Play Services (com.google.android.gms)
- AGSA( com.google.android.googlequicksearchbox)
- Google Chrome (com.android.chrome)
- Google Cloud (com.google.android.apps.cloudconsole)
- Gmail (com.google.android.gm)
- Chrome Remote Desktop (com.google.chromeremotedesktop)
Qualifying vulnerabilities include those allowing arbitrary code execution (ACE) and theft of sensitive data, and weaknesses that could be chained with other flaws to lead to a similar impact.
These include orphaned permissions, path traversal or zip path traversal flaws leading to arbitrary file write, intent redirections that can be exploited to launch non-exported application components, and security bugs caused by unsafe usage of pending intents.
Google says that it will reward a maximum of $30,000 for remote code execution without user interaction and up to $7,500 for bugs allowing the theft of sensitive data remotely.
| Category | 1) Remote/No User Interaction | 2) User must follow a link that exploits the vulnerable app | 3) User must install malicious app or victim app is configured in a non-default way | 4) Attacker must be on the same network (e.g. MiTM) |
|---|---|---|---|---|
| Arbitrary Code Execution | $30,000 | $15,000 | $4,500 | $2,250 |
| Theft of Sensitive Data | $7,500 | $4,500 | $2,250 | $750 |
| Other Vulnerabilities | $7,500 | $4,500 | $2,250 | $750 |
"The Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications," Google said.
"The goal of the program is to mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safe."
In August 2022, the company announced it would pay security researchers to find bugs in the latest released versions of Google open-source software (Google OSS), including its most sensitive projects like Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
Since launching its first VRP over a decade ago, in 2010, Google has rewarded more than $50 million to thousands of security researchers worldwide for reporting over 15,000 vulnerabilities.
In 2022 it awarded $12 million, including a record-breaking $605,000 payout for an Android exploit chain of five separate security bugs reported by gzobqq, the highest in Android VRP history.
One year before, the same researcher submitted another critical exploit chain in Android, earning another $157,000—the previous bug bounty record in Android VRP history at the time.
Comments
Mahhn - 10 months ago
Freelance security, if you see a bug, squish it and we will give you a cookie. Analogy: they count on batman because their police aren't trustable.
More down to earth, The only app I've ever wanted for android is a Firewall. That can restrict all App and OS connections. Goog does not allow this - because they are the worst spyware offender - .