Google has launched the Mobile Vulnerability Reward Program (Mobile VRP), a new bug bounty program that will pay security researchers for flaws found in the company’s Android apps.
“We’re excited to announce our new Mobile VRP! We’re looking for two birds to help us find and fix security vulnerabilities in our mobile apps,” Google VRP chirp.
As the company said, the main goal behind Mobile VRP is to speed up the process of finding and fixing vulnerabilities in first-party Android apps, developed or maintained by Google.
Apps in the scope of mobile VRP include those developed by Google LLC, developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.
The list of in-band apps also contains what Google describes as “level 1” Android apps, which include the following apps (and their package names):
- Google Play Services (com.google.android.gms)
- AGSA (com.google.android.googlequicksearchbox)
- Google Chrome (com.android.chrome)
- Google Cloud (com.google.android.apps.cloudconsole)
- Gmail (com.google.android.gm)
- Chrome Remote Desktop (com.google.chromeremotedesktop)
Eligible vulnerabilities include those that allow arbitrary code execution (ACE) and theft of sensitive data, and vulnerabilities that can be linked to other flaws to lead to a similar effect.
These include orphaned permissions, path traversal or compressed path traversal errors that lead to arbitrary file writes, intentional redirects that can be exploited to run unexported application components, and security errors caused by unsafe use of suspended intents.
Google says it will reward up to $30,000 for remote code execution without user interaction and up to $7,500 for bugs that allow sensitive data to be stolen remotely.
| category | 1) Remote / no user interaction | 2) The user must follow a link that exploits the vulnerable application | 3) The user must install a malicious app or configure the victim app in a non-default way | 4) The attacker must be on the same network (eg MiTM) |
|---|---|---|---|---|
| Wrongful enforcement of a law | 30 thousand dollars | $15,000 | $4,500 | 2250 USD |
| Sensitive data theft | $7,500 | $4,500 | 2250 USD | $750 |
| Other weaknesses | $7,500 | $4,500 | 2250 USD | $750 |
“Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security of our first-party Android apps,” Google said.
“The goal of the program is to mitigate vulnerabilities in first-party Android apps, thereby keeping users and their data safe.”
In August 2022, the company announced that it would pay security researchers to find bugs in the latest released versions of Google’s open source software (Google OSS), including its most sensitive projects such as Bazel, Angular, Golang, protocol buffers, and Fuchsia.
Since launching the first VRP more than a decade ago, in 2010, Google has rewarded more than $50 million to thousands of security researchers worldwide for reporting more than 15,000 vulnerabilities.
In 2022, it awarded $12 million, including a record $605,000 for an Android exploit chain made up of five separate vulnerabilities reported by gzobqq, the highest in Android VRP history.
One year earlier, the same researcher submitted another critical Android exploit chain, earning another $157,000 — the previous record for bug bounty in the Android VRP history at the time.
#Google #launched #bug #bounty #program #Android #apps