Shortly after announcing major upgrades to the Android devices bug reward program, Google had now announced launching Mobile VRP for its Android apps. The new rewards program will specifically cover vulnerabilities affecting the security of Google’s Android applications and their users.
Google Mobile VRP For Apps Will Reward Up To $30K
The tech giant Google has launched a dedicated Mobile Vulnerability Rewards Program (VRP) for its Android apps. The program welcomes bug hunters and researchers to scan and analyze Google-developed and Google-maintained Android applications, and detect vulnerabilities.
As elaborated on the program rules’ page, Google Mobile VRP applies to its “Tier-1” mobile applications which include the following.
- Google Play Services (com.google.android.gms)
- AGSA (com.google.android.googlequicksearchbox)
- Google Chrome (com.android.chrome)
- Google Cloud (com.google.android.apps.cloudconsole)
- Gmail (com.google.android.gm)
- Chrome Remote Desktop (com.google.chromeremotedesktop)
Moreover, the program will also cover apps developed by the following developers.
- Google LLC
- Developed with Google
- Research at Google
- Red Hot Labs
- Google Samples
- Fitbit
- LLC Nest
- Labs Inc.
- Waymo LLC
- Waze
Qualifying Vulnerabilities Under Mobile VRP
Regarding the type of vulnerabilities covered in this bug reward program, Google lists the following as qualifying vulnerabilities.
- Arbitrary code execution (ACE)
- Sensitive data exposure. Here, ‘sensitive’ data includes details leading to unauthorized access to users’ accounts (such as login credentials), users’ contact lists, photos, SMS logs, and other user-generated content, and any PII, PHI, or financial information. However, in this category, Google doesn’t classify location data, non-sensitive internal files, or any data exposure not directly caused by Google’s apps.
- Intent redirections
- Path traversal
- Orphaned permissions
- Vulnerabilities triggered due to unsafe use of pending intents
Again, security issues like hard-coded keys, trivially exploitable low-severity bugs, StrandHogg variants, and attacks due to device rooting do not qualify for Mobile VRP.
Regarding the rewards, Google shared a detailed breakdown of bounties for various Application Tiers (including Tier 2 and Tier 3). The highest rewards ($30,000) are reserved for remote arbitrary code execution flaws (requiring no user interaction) in Tier 1 apps. Whereas such ACEs in Tier 2 and Tier 3 apps will reward the researchers with $25,000 and $20,000, respectively.
More details about Mobile VRP are available on the Rules page, which interested researchers can visit to learn and leverage this new money-making opportunity.
This move arrived shortly after Google announced some major upgrades to its VRP for Android system and devices. With these updates, Google aimed at achieving better remediation of reported security issues.