Google will reward researchers for finding vulnerabilities in its Android apps

Android Malware

Google has announced Mobile Vulnerability Rewards Program with a focus on first-party Android apps developed or maintained by Google. Under this program, Google will reward security researchers for finding vulnerabilities in selected apps.

Google has confirmed that apps by select developers are in scope for Mobile VRP. Here’s the list of developers:

  • Google LLC
  • Developed with Google
  • Research at Google
  • Red Hot Labs
  • Google Samples
  • Fitbit LLC
  • Nest Labs Inc.
  • Waymo LLC
  • Waze

The company has also divided apps into three different tiers. Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop are Tier 1 apps. Apps that interact in some way with either a Tier 1 application, user data, or Google’s services fall into the Tier 2 category. Apps that do not handle user data or interact with Google’s services are listed in the tier 3 category.

The primary aim of this program is to speed up the process of finding and patching vulnerabilities in Android apps developed or maintained by Google.

Google will reward a maximum of $30,000 under this program. This reward is for finding arbitrary code execution with no user interaction.

Application tier 1 rewards 

Category1) Remote/No User Interaction2) User must follow a link that exploits the vulnerable app3) User must install malicious app or victim app is configured in a non-default way4) Attacker must be on the same network (e.g. MiTM)
A) Arbitrary Code Execution$30,000$15,000$4,500$2,250
B) Theft of Sensitive Data$7,500$4,500$2,250$750
C) Other Vulnerabilities$7,500$4,500$2,250$750

Application tier 2 rewards 

Category1) Remote/No User Interaction2) User must follow a link that exploits the vulnerable app3) User must install malicious app or victim app is configured in a non-default way4) Attacker must be on the same network (e.g. MiTM)
A) Arbitrary Code Execution$25,000$12,500$3,750$1,875
B) Theft of Sensitive Data$6,250$3,750$1,875$625
C) Other Vulnerabilities$6,250$3750$1,875$625

Application tier 3 rewards 

Category1) Remote/No User Interaction2) User must follow a link that exploits the vulnerable app3) User must install malicious app or victim app is configured in a non-default way4) Attacker must be on the same network (e.g. MiTM)
A) Arbitrary Code Execution$20,000$10,000$3,000$1,500
B) Theft of Sensitive Data$5,000$3,000$1,500$500
C) Other Vulnerabilities$5,000$3,000$1,500$500

Google announced Vulnerability Reward Program back in 2010 and has already paid more than $50 million to thousands of security researchers for reporting more than 15,000 vulnerabilities. It awarded $12 million in just 2022. It shows how serious Google is about the security of its products.

Also see: Android version list with names and release dates

Share this article
Shareable URL
Prev Post

OPPO K11x with 6.72-inch FHD+ 120Hz display, Snapdragon 695, 5000mAh battery announced

Next Post

iQOO Pad with 12.1-inch 2.8K 144Hz display, Dimensity 9000+, 10000mAh battery announced

Leave a Reply
Read next
Subscribe to our newsletter
Get notified of the best deals on our WordPress themes.
2
Share