Google this week introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities found in the company’s mobile applications.
The Mobile VRP runs alongside the Android and Google Devices security reward program, which rewards security researchers for issues identified in the Android OS, Pixel phones, and Google Nest and Fitbit devices.
The new program is specifically designed for first-party Android applications, which fall into three categories. Tier 1 apps include Google’s own Play Services, AGSA (Android Google Search app), Chrome, Cloud, Gmail, and Chrome Remote Desktop software.
Applications published by Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze are also within scope, the internet giant says.
As part of Mobile VRP, Google is looking for reports describing flaws leading to arbitrary code execution and theft of sensitive data (credentials and personal information), but may also accept submissions of other types of bugs with a security impact, such as path traversal, intent redirections, unsafe usage of pending intents, and orphaned permissions.
The internet giant is willing to pay up to $30,000 for vulnerabilities in Tier 1 apps that can be exploited remotely without user interaction to achieve arbitrary code execution. The lowest reward for this type of bugs is $2,250.
Researchers reporting issues in Tier 2 and Tier 3 apps may earn up to $25,000 and $20,000, respectively, for similar vulnerabilities.
Flaws leading to sensitive data theft and other types of issues will be awarded between $750 and $7,500 for Tier 1 apps, between $625 and $6,250 for Tier 2 software, and between $500 and $5,000 for Tier 3 applications.
Google notes it may also award $1,000 bonuses for surprising vulnerabilities or exceptional writeups. Researchers are encouraged to present their findings in a succinct manner, adding a short proof-of-concept (PoC) if possible.
Researchers interested in participating in the Mobile VRP should only target their own accounts and should submit their findings through Google’s report page. Additional information on the program can be found on the new Mobile VRP page.
Related: Google Announces New Rating System for Android and Device Vulnerability Reports
Related: Google Improves Android Security With New APIs
Related: Google Paid Out $12 Million via Bug Bounty Programs in 2022