Home » Security News » Google will reward researchers for finding vulnera...

Google will reward researchers for finding vulnerabilities in its Android apps

Deepanker Verma May 23, 2023 Security

Add Techlomedia as a preferred source on Google.

Google has announced Mobile Vulnerability Rewards Program with a focus on first-party Android apps developed or maintained by Google. Under this program, Google will reward security researchers for finding vulnerabilities in selected apps.

We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications. https://t.co/HDs1hnGpbH
— Google VRP (Google Bug Hunters) (@GoogleVRP) May 22, 2023

Google has confirmed that apps by select developers are in scope for Mobile VRP. Here’s the list of developers:

Google LLC
Developed with Google
Research at Google
Red Hot Labs
Google Samples
Fitbit LLC
Nest Labs Inc.
Waymo LLC
Waze

The company has also divided apps into three different tiers. Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop are Tier 1 apps. Apps that interact in some way with either a Tier 1 application, user data, or Google’s services fall into the Tier 2 category. Apps that do not handle user data or interact with Google’s services are listed in the tier 3 category.

The primary aim of this program is to speed up the process of finding and patching vulnerabilities in Android apps developed or maintained by Google.

Google will reward a maximum of $30,000 under this program. This reward is for finding arbitrary code execution with no user interaction.

Application tier 1 rewards

Category	1) Remote/No User Interaction	2) User must follow a link that exploits the vulnerable app	3) User must install malicious app or victim app is configured in a non-default way	4) Attacker must be on the same network (e.g. MiTM)
A) Arbitrary Code Execution	$30,000	$15,000	$4,500	$2,250
B) Theft of Sensitive Data	$7,500	$4,500	$2,250	$750
C) Other Vulnerabilities	$7,500	$4,500	$2,250	$750

Application tier 2 rewards

Category	1) Remote/No User Interaction	2) User must follow a link that exploits the vulnerable app	3) User must install malicious app or victim app is configured in a non-default way	4) Attacker must be on the same network (e.g. MiTM)
A) Arbitrary Code Execution	$25,000	$12,500	$3,750	$1,875
B) Theft of Sensitive Data	$6,250	$3,750	$1,875	$625
C) Other Vulnerabilities	$6,250	$3750	$1,875	$625

Application tier 3 rewards

Category	1) Remote/No User Interaction	2) User must follow a link that exploits the vulnerable app	3) User must install malicious app or victim app is configured in a non-default way	4) Attacker must be on the same network (e.g. MiTM)
A) Arbitrary Code Execution	$20,000	$10,000	$3,000	$1,500
B) Theft of Sensitive Data	$5,000	$3,000	$1,500	$500
C) Other Vulnerabilities	$5,000	$3,000	$1,500	$500

Google announced Vulnerability Reward Program back in 2010 and has already paid more than $50 million to thousands of security researchers for reporting more than 15,000 vulnerabilities. It awarded $12 million in just 2022. It shows how serious Google is about the security of its products.

Also see: Android version list with names and release dates

Follow Techlomedia on Google News to stay updated.

Affiliate Disclosure:

This article may contain affiliate links. We may earn a commission on purchases made through these links at no extra cost to you.

About the Author: Deepanker Verma

Deepanker Verma is the Founder and Editor-in-Chief of TechloMedia. He holds Engineering degree in Computer Science and has over 15 years of experience in the technology sector. Deepanker bridges the gap between complex engineering and consumer electronics. He is also a a known Security Researcher acknowledged by global giants including Apple, Microsoft, and eBay. He uses his technical background to rigorously test gadgets, focusing on performance, security, and long-term value.