Google has announced a new Android bug bounty program offering rewards in the tens of thousands for those looking to try out their expertise.
The new Mobile Vulnerability Reward Program (VRP) was announced on Twitter, where the company noted, “We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications.”
According to the program summary, first-party Android apps are the key focus of this Mobile VRP, where vulnerabilities are hoped to be found and eliminated to keep users’ data safe.
Android bug bounty program
Tier 1 applications are considered in scope for the program, comprising Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop.
Beyond the above, Tier 1 apps, the program also considers apps made by the following developers: Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, Waze.
Rewards start at $500, which applies to the theft of sensitive data or other vulnerabilities in Tier 3 applications, whereby the attacker was found to be on the same network. Remote arbitrary code execution offers the most lucrative reward, whereby prizes are rated at $30,000, $25,000, and $20,000 for Tiers 1, 2, and 3 respectively.
Additionally, the program’s panel has been authorized to award discretionary $1,000 bonuses for various reasons, like “for a particularly surprising vulnerability, or an exceptional writeup.”
As well as arbitrary code execution and the theft of sensitive data, the Mobile VRP states that other vulnerabilities “will be taken into consideration if they are shown to have a security impact.”
Examples of non-qualifying discoveries, along with more detailed information about the program, can be found on the Mobile VRP website.