Google has initiated a novel bug bounty scheme for its Android applications. This initiative, titled Mobile Vulnerability Rewards Program (Mobile VRP), incentivizes security researchers to identify defects in first-party applications. The Google VRP official Twitter account publicized the new bug bounty scheme, expressing, “We are excited to announce the new Mobile VRP! We are inviting bug hunters to assist us in discovering and rectifying vulnerabilities in our mobile applications.”
This announcement is accompanied by a hyperlink to a webpage detailing the regulations governing Google’s Mobile VRP. Within this blog post, the tech behemoth acknowledges its main objective for the Mobile VRP, which is to expedite identifying and rectifying vulnerabilities in its Android apps. These are primarily apps that Google either maintains or develops.
Google’s Mobile VRP: App Inclusion
Applications included in Google’s Mobile VRP are those either developed by or in collaboration with Google. This also encompasses applications researched at several entities, such as Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.
Google has also segregated the apps into three categories. Tier 1 Android apps include applications like Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop.
The tech giant has further delineated the vulnerabilities that qualify for the bug bounty scheme. These entail defects that enable arbitrary code execution (ACE) and data theft. The qualifying security weaknesses also comprise vulnerabilities that lead to similar consequences when combined with other flaws.
Google has assured rewards of up to $30,000 for bugs that facilitate remote code execution without user interaction and up to $7,500 for vulnerabilities enabling remote data theft by hackers.
| Category | 1) Remote/No User Interaction | 2) User must follow a link that exploits the vulnerable app | 3) User must install malicious app or victim app is configured in a non-default way | 4) Attacker must be on the same network (e.g. MiTM) |
| Arbitrary Code Execution | $30,000 | $15,000 | $4,500 | $2,250 |
| Theft of Sensitive Data | $7,500 | $4,500 | $2,250 | $750 |
| Other Vulnerabilities | $7,500 | $4,500 | $2,250 | $750 |
Google stated, “The Mobile VRP acknowledges the input and diligent efforts of researchers who assist Google in enhancing the security of our first-party Android applications. The program aims to alleviate vulnerabilities in first-party Android applications, thereby ensuring the safety of users and their data.”
