Connect with us

Hi, what are you looking for?



Google Expands Vulnerability Reward Program to Mobile Apps

Researchers who identify vulnerabilities in mobile applications officially developed by Google will be rewarded for their effort, the search giant announced last week.

Researchers who identify vulnerabilities in mobile applications officially developed by Google will be rewarded for their effort, the search giant announced last week.

Up until now, the Vulnerability Reward Program (VRP) covered Google-owned Web services such as,, and, and browser apps and extensions hosted on the Chrome Web Store. Now, security experts will also be rewarded for reporting security holes in any of the mobile applications published by the company on Google Play and iTunes.

Another major addition to Google’s bug bounty program is an experimental initiative called Vulnerability Research Grants. Researchers have contributed greatly over the past years to making Google’s products secure. However, since it has become increasingly difficult to identify flaws, the company wants to ensure experts are not discouraged from analyzing Google services.

As part of the Vulnerability Research Grants program, Google will pay researchers as much as $3,133.7 up front, with no strings attached. For newly launched services, the grant amount starts at $500. Another grant category, for which the minimum amount is $1,337, targets sensitive products, such as Search, Wallet, Gmail, Inbox, Code, the App Engine, the Chrome Web Store, Admin, Developers Console, and Google Play. Researchers can also analyze recently patched vulnerabilities.

In addition to the grant money, participants will be rewarded for each of the issues they find under the VRP.

“The program is intended for our top performing, frequent vulnerability researchers as well as invited experts, and we hope it will allow us to reward the security researchers time and attention including the situations when they don’t find any vulnerabilities,” Google said.

Since the launch of its bug bounty program in 2010, the search giant has paid out a total of $4 million to researchers. Last year, the company rewarded more than 200 researchers with a total of $1.5 million for reporting more than 500 bugs.

Advertisement. Scroll to continue reading.

Google’s own researchers have identified numerous vulnerabilities in the products of other vendors. The affected companies are always notified, but they are given a strict 90-day deadline before the details of the security hole are made public. This year, Google’s Zero Project disclosed flaws affecting Apple and Microsoft products just days before the vendors got a chance to release patches for them.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.