Google has unveiled its new Mobile Vulnerability Reward Program (VRP), offering substantial rewards for skilled bug hunters who identify and report security flaws in its major Android applications. The announcement was made on Twitter, with Google expressing excitement about the program and inviting bug hunters to assist in finding and resolving vulnerabilities in their mobile apps.
The primary focus of the Mobile VRP is on first-party Android apps, as Google aims to enhance user data security by identifying and eliminating potential vulnerabilities. The program encompasses Tier 1 applications, including Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop.
In addition to Tier 1 apps, the program extends to apps developed by various entities such as Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze.
The rewards offered by the program start at $500, applicable to the theft of sensitive data or other vulnerabilities discovered in Tier 3 applications, with the attacker being present on the same network. The most substantial reward, reaching up to $30,000, is reserved for remote arbitrary code execution vulnerabilities. Tiers 1, 2, and 3 correspond to rewards of $30,000, $25,000, and $20,000, respectively.
Furthermore, the program’s panel has the authority to grant discretionary $1,000 bonuses for exceptional findings or outstanding vulnerability write-ups.
The Mobile VRP emphasizes that, in addition to arbitrary code execution and sensitive data theft, other vulnerabilities will be considered if they have a significant security impact.
By launching this bug bounty program, Google aims to leverage the expertise of the broader security community to strengthen the security posture of its Android apps. It is a proactive step to ensure the protection of user data and to promote a safer mobile ecosystem.
