Earn up to $30,000! Google Launches Bug Bounty Program for Android App Vulnerabilities

Google has introduced the Mobile Vulnerability Rewards Program (Mobile VRP), a new bug bounty initiative aimed at incentivizing security researchers to uncover vulnerabilities in the company’s Android applications. The program offers monetary rewards to bughunters who can find and help fix weaknesses in Google-developed or maintained first-party Android apps.

In an announcement made on Twitter, Google VRP expressed excitement about the new Mobile VRP and called for bughunters to assist in identifying and resolving vulnerabilities in their mobile applications.

The primary objective of the Mobile VRP is to expedite the process of identifying and addressing weaknesses in Google’s first-party Android apps. The program encompasses a wide range of applications, including those developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.

The list of apps within the program’s scope also includes “Tier 1” Android applications, such as Google Play Services, AGSA (Google Search), Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop, along with their respective package names.

The Mobile VRP will reward researchers for qualifying vulnerabilities that allow arbitrary code execution, theft of sensitive data, and weaknesses that can be chained with other flaws to create a similar impact. These vulnerabilities may include orphaned permissions, path traversal or zip path traversal flaws leading to arbitrary file write, intent redirections, and security bugs resulting from unsafe usage of pending intents.

Google has established a tiered reward system based on the category and severity of the vulnerability. For remote code execution without user interaction, researchers can earn up to $30,000, while bugs enabling the theft of sensitive data remotely can be rewarded with a maximum of $7,500.

Google emphasized that the Mobile VRP aims to acknowledge the contributions and dedication of researchers who assist in enhancing the security of Google’s first-party Android applications, ultimately ensuring user safety and data protection.

This initiative follows Google’s announcement in August 2022 to offer rewards to security researchers for discovering bugs in the latest versions of its open-source software, including critical projects such as Bazel, Angular, Golang, Protocol Buffers, and Fuchsia.

Having launched its first Vulnerability Rewards Program over a decade ago, Google has provided over $50 million in rewards to thousands of security researchers worldwide for reporting more than 15,000 vulnerabilities. In 2022 alone, the company awarded $12 million, including a record-breaking $605,000 payout for an Android exploit chain reported by gzobqq, marking the highest reward in the history of Android VRP.

Google’s Mobile VRP underscores the company’s commitment to bolstering the security posture of its Android applications while fostering collaboration with the security research community to safeguard users and their data.