Google has announced Mobile Vulnerability Rewards Program with a focus on first-party Android apps developed or maintained by Google. Under this program, Google will reward security researchers for finding vulnerabilities in selected apps.
Google has confirmed that apps by select developers are in scope for Mobile VRP. Here’s the list of developers:
- Google LLC
- Developed with Google
- Research at Google
- Red Hot Labs
- Google Samples
- Fitbit LLC
- Nest Labs Inc.
- Waymo LLC
- Waze
The company has also divided apps into three different tiers. Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop are Tier 1 apps. Apps that interact in some way with either a Tier 1 application, user data, or Google’s services fall into the Tier 2 category. Apps that do not handle user data or interact with Google’s services are listed in the tier 3 category.
The primary aim of this program is to speed up the process of finding and patching vulnerabilities in Android apps developed or maintained by Google.
Google will reward a maximum of $30,000 under this program. This reward is for finding arbitrary code execution with no user interaction.
Category | 1) Remote/No User Interaction | 2) User must follow a link that exploits the vulnerable app | 3) User must install malicious app or victim app is configured in a non-default way | 4) Attacker must be on the same network (e.g. MiTM) |
---|---|---|---|---|
A) Arbitrary Code Execution | $30,000 | $15,000 | $4,500 | $2,250 |
B) Theft of Sensitive Data | $7,500 | $4,500 | $2,250 | $750 |
C) Other Vulnerabilities | $7,500 | $4,500 | $2,250 | $750 |
Category | 1) Remote/No User Interaction | 2) User must follow a link that exploits the vulnerable app | 3) User must install malicious app or victim app is configured in a non-default way | 4) Attacker must be on the same network (e.g. MiTM) |
---|---|---|---|---|
A) Arbitrary Code Execution | $25,000 | $12,500 | $3,750 | $1,875 |
B) Theft of Sensitive Data | $6,250 | $3,750 | $1,875 | $625 |
C) Other Vulnerabilities | $6,250 | $3750 | $1,875 | $625 |
Category | 1) Remote/No User Interaction | 2) User must follow a link that exploits the vulnerable app | 3) User must install malicious app or victim app is configured in a non-default way | 4) Attacker must be on the same network (e.g. MiTM) |
---|---|---|---|---|
A) Arbitrary Code Execution | $20,000 | $10,000 | $3,000 | $1,500 |
B) Theft of Sensitive Data | $5,000 | $3,000 | $1,500 | $500 |
C) Other Vulnerabilities | $5,000 | $3,000 | $1,500 | $500 |
Google announced Vulnerability Reward Program back in 2010 and has already paid more than $50 million to thousands of security researchers for reporting more than 15,000 vulnerabilities. It awarded $12 million in just 2022. It shows how serious Google is about the security of its products.
Also see: Android version list with names and release dates