Connect with us

Hi, what are you looking for?


Application Security

Google Launches Bug Bounty Program for Mobile Applications

Google introduces Mobile VRP bug bounty program for vulnerabilities in its mobile applications.

Google this week introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities found in the company’s mobile applications.

The Mobile VRP runs alongside the Android and Google Devices security reward program, which rewards security researchers for issues identified in the Android OS, Pixel phones, and Google Nest and Fitbit devices.

The new program is specifically designed for first-party Android applications, which fall into three categories. Tier 1 apps include Google’s own Play Services, AGSA (Android Google Search app), Chrome, Cloud, Gmail, and Chrome Remote Desktop software.

Applications published by Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze are also within scope, the internet giant says.

As part of Mobile VRP, Google is looking for reports describing flaws leading to arbitrary code execution and theft of sensitive data (credentials and personal information), but may also accept submissions of other types of bugs with a security impact, such as path traversal, intent redirections, unsafe usage of pending intents, and orphaned permissions.

The internet giant is willing to pay up to $30,000 for vulnerabilities in Tier 1 apps that can be exploited remotely without user interaction to achieve arbitrary code execution. The lowest reward for this type of bugs is $2,250.

Researchers reporting issues in Tier 2 and Tier 3 apps may earn up to $25,000 and $20,000, respectively, for similar vulnerabilities.

Advertisement. Scroll to continue reading.

Flaws leading to sensitive data theft and other types of issues will be awarded between $750 and $7,500 for Tier 1 apps, between $625 and $6,250 for Tier 2 software, and between $500 and $5,000 for Tier 3 applications.

Google notes it may also award $1,000 bonuses for surprising vulnerabilities or exceptional writeups. Researchers are encouraged to present their findings in a succinct manner, adding a short proof-of-concept (PoC) if possible.

Researchers interested in participating in the Mobile VRP should only target their own accounts and should submit their findings through Google’s report page. Additional information on the program can be found on the new Mobile VRP page.

Related: Google Announces New Rating System for Android and Device Vulnerability Reports

Related: Google Improves Android Security With New APIs

Related: Google Paid Out $12 Million via Bug Bounty Programs in 2022

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...