Connect with us

Hi, what are you looking for?


Malware & Threats

Google Boosts Bug Bounty Payouts Tenfold in Mobile App Security Push

Researchers can earn as much as $450,000 for a single vulnerability report as Google boosts its mobile vulnerability rewards program.

Google Mobile VRP

Google on Tuesday announced that the bug bounty rewards offered as part of its Mobile VRP launched last year have been increased ten-fold.

Close to $100,000 has been handed out in bug bounty rewards as part of the program, which kicked off in May 2023 to include Google’s own mobile applications, along with apps from Developed with Google, Research at Google, Google Samples, Red Hot Labs, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze.

Now, the company says researchers can earn as much as $450,000 for a single vulnerability report, should their submission meet certain criteria.

First, the flaw must impact a Tier 1 mobile application, such as Google Play Services, AGSA, Google Cloud, or Gmail, and should lead to remote code execution without user interaction.

Second, the report should be of exceptional quality and include a proposed patch or mitigation and root cause analysis, along with an accurate description of the issue, proof-of-concept (PoC) code, an example APK, explanation of reproduction steps, and impact analysis.

Advertisement. Scroll to continue reading.

“One of the things we want to achieve is to encourage bug hunters to spend a little more time crafting and refining their reports. To incentivize bug hunters to do so, we established a new reward modifier to reward bug hunters for the extra time and effort they invest when creating high-quality reports that clearly demonstrate the impact of their findings,” according to a note from Google.

Reports without a proposed patch and root cause analysis are considered good quality and may earn researchers up to $300,000 in rewards, a ten-fold increase compared to last year’s rewards. In fact, this is the highest amount Google is offering, but exceptional reports are eligible for receiving a 50% bonus.

Google has increased the top rewards across the chart, offering up to $150,000 for code execution flaws in Tier 2 apps (software that handles user data or interacts with Google apps or services), and up to $45,000 for issues in Tier 3 apps (all other apps in the scope of the program).

However, the internet giant also cautions that vulnerability reports that are considered low quality will be rewarded only half of the reward amount.

Vulnerabilities leading to the theft of sensitive data, path traversal bugs, intent redirection flaws, issues rooted in the unsafe usage of pending interests, and orphaned permission defects are also within the scope of Google’s Mobile VRP.

Related: Zoom Paid Out $10 Million via Bug Bounty Program Since 2019

Related: Microsoft Paid Out $63 Million Since Launch of First Bug Bounty Program

Related: Google Expands Bug Bounty Program With Chrome, Cloud CTF Events

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.