Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Launches Bug Bounty Program for Mobile Applications

Google introduces Mobile VRP bug bounty program for vulnerabilities in its mobile applications.

Google this week introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities found in the company’s mobile applications.

The Mobile VRP runs alongside the Android and Google Devices security reward program, which rewards security researchers for issues identified in the Android OS, Pixel phones, and Google Nest and Fitbit devices.

The new program is specifically designed for first-party Android applications, which fall into three categories. Tier 1 apps include Google’s own Play Services, AGSA (Android Google Search app), Chrome, Cloud, Gmail, and Chrome Remote Desktop software.

Applications published by Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze are also within scope, the internet giant says.

As part of Mobile VRP, Google is looking for reports describing flaws leading to arbitrary code execution and theft of sensitive data (credentials and personal information), but may also accept submissions of other types of bugs with a security impact, such as path traversal, intent redirections, unsafe usage of pending intents, and orphaned permissions.

The internet giant is willing to pay up to $30,000 for vulnerabilities in Tier 1 apps that can be exploited remotely without user interaction to achieve arbitrary code execution. The lowest reward for this type of bugs is $2,250.

Researchers reporting issues in Tier 2 and Tier 3 apps may earn up to $25,000 and $20,000, respectively, for similar vulnerabilities.

Flaws leading to sensitive data theft and other types of issues will be awarded between $750 and $7,500 for Tier 1 apps, between $625 and $6,250 for Tier 2 software, and between $500 and $5,000 for Tier 3 applications.

Advertisement. Scroll to continue reading.

Google notes it may also award $1,000 bonuses for surprising vulnerabilities or exceptional writeups. Researchers are encouraged to present their findings in a succinct manner, adding a short proof-of-concept (PoC) if possible.

Researchers interested in participating in the Mobile VRP should only target their own accounts and should submit their findings through Google’s report page. Additional information on the program can be found on the new Mobile VRP page.

Related: Google Announces New Rating System for Android and Device Vulnerability Reports

Related: Google Improves Android Security With New APIs

Related: Google Paid Out $12 Million via Bug Bounty Programs in 2022

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.