Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new bug bounty program that will pay security researchers for flaws found in the company’s Android apps.
“We are excited to announce the new Mobile VRP! We are looking for bug hunters to help us find and fix vulnerabilities in our mobile applications”, Google VRP tweeted.
As the company said, the main purpose of the Mobile VRP is to speed up the process of finding and fixing weaknesses in proprietary Android applications developed or maintained by Google.
Applications affected by Mobile VRP include those developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC and Waze.
The list of affected apps also contains what Google describes as “Tier 1” Android apps, which include the following apps (and their package names):
- Google Play Services (com.google.android.gms)
- AGSA( com.google.android.googlequicksearchbox)
- Google Chrome (com.android.chrome)
- Google Cloud (com.google.android.apps.cloudconsole)
- Gmail (com.google.android.gm)
- Chrome Remote Desktop (com.google.chromeremotedesktop)
Qualifying vulnerabilities include those allowing execution of arbitrary code (ACE) and theft of sensitive data, and weaknesses that could be chained together with other flaws to lead to a similar impact.
These include orphaned permissions, path traversal or zip path traversal flaws leading to arbitrary file writing, intent redirects that can be exploited to launch non-exported application components, and bugs security issues caused by insecure use of pending intents.
Google says it will reward a maximum of $30,000 for remote code execution without user interaction and up to $7,500 for bugs that allow remote theft of sensitive data.
|Category||1) Remote interaction/no user||2) The user must follow a link that exploits the vulnerable application||3) User must install a rogue application or the victim application is configured in a non-default way||4) Attacker must be on the same network (e.g. MiTM)|
|Execution of arbitrary code||$30,000||$15,000||$4,500||$2,250|
|Theft of sensitive data||$7,500||$4,500||$2,250||$750|
“The Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security of our proprietary Android apps,” Google said. said.
“The goal of the program is to mitigate vulnerabilities in proprietary Android apps, thereby protecting users and their data.”
In August 2022, the company announcement it would pay security researchers to find bugs in the latest released versions of Google’s open-source software (Google OSS), including its most sensitive projects like Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
Since the launch of its first VRP more than ten years ago, in 2010Google has awarded over $50 million to thousands of security researchers worldwide for reporting over 15,000 vulnerabilities.
In 2022, he awarded $12 millionincluding a record payout of $605,000 for an Android exploit chain of five separate security bugs reported by gzobqq, the highest in Android VRP history.
A year prior, the same researcher submitted another critical exploit string in Android, earning an additional $157,000, the previous bug bounty record in Android VRP history at the time.