Google launches vulnerability bounty program

Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new vulnerability rewards program that will pay security researchers for vulnerabilities found in the company's Android apps.

"We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications," Google VRP tweeted.

As the company says, the main goal behind the Mobile VRP is to speed up the process of finding and fixing weaknesses in first-party Android apps developed or maintained by Google.

Apps in the scope of the Mobile VRP include those developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze .

The list of in-scope apps also contains what Google describes as "Tier 1" Android apps, which include the following apps (and their package names):

· Google Play Services (com.google.android.gms)

· AGSA ( com . google . android . googlequicksearchbox )

· Google Chrome (com.android.chrome)

· Google Cloud (com.google.android.apps.cloudconsole)

· Gmail (com.google.android.gm)

· Chrome Remote Desktop (com.google.chromeremotedesktop)

Eligible vulnerabilities include those that allow arbitrary code execution (ACE) and theft of sensitive data, as well as vulnerabilities that could be linked to other vulnerabilities leading to similar impacts.

These include orphaned permissions, path traversal or zip path traversal flaws that lead to arbitrary file writes, intent redirection that can be exploited to launch non-exported application components, and security vulnerabilities due to unsafe use of pending intents.

Google said it will offer rewards of up to $30,000 for remote code execution that does not require user interaction and up to $7,500 for bugs that allow remote theft of sensitive data.

Google said the Mobile VRP recognizes the contributions and hard work of researchers who have helped Google improve the security of first-party Android apps. And, the goal of the program is to mitigate vulnerabilities in first-party Android apps, thereby ensuring the security of users and their data.

In August 2022, the company announced it would pay security researchers to find vulnerabilities in the latest released versions of Google Open Source Software (Google OSS), including its most sensitive projects such as Bazel, Angular, Golang, Protocol buffers and Fuchsia.

Since launching its first VRP more than a decade ago in 2010, Google has awarded more than $50 million to thousands of security researchers around the world for reporting more than 15,000 vulnerabilities.

In 2022, it awarded $12 million, including a record $605,000 prize for an Android exploit chain of five separate security vulnerabilities reported by gzobqq, the highest in the history of the Android VRP.

A year earlier, the same researcher submitted another critical vulnerability exploit chain in Android and was awarded another $157,000 - the record for vulnerability bounties in Android VRP history at the time.