Google is extending its bug bounty program to include first-party Android apps, paying high prices for discovered vulnerabilities.
Bug bounties are a popular way for companies to find and fix vulnerabilities and security issues, relying on researchers and users to report bugs they discover. Depending on the company, bounties can be significant enough that some researchers make their entire livelihood from finding bugs.
Journalist Mishaal Rahman was the first to spot Google’s new program for its first-party Android apps.
Journalist Mishaal Rahman was the first to spot Google’s new program for its first-party Android apps:
Google has added a new Vulnerability Reward Program (VRP) called the Mobile VRP that focuses on its first-party Android apps.
Security researchers that disclose qualifying vulnerabilities impacting Android apps developed or maintained by Google can be rewarded depending on the type of vulnerability, the scenario in which the vulnerability can be exploited, and the importance of the app that’s affected.
The company outlined its goals in a blog post:
Google’s Mobile Vulnerability Rewards Program (Mobile VRP) focuses on first-party Android applications developed or maintained by Google.
The Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications.
The goal of the program is to mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safe.
Google’s payouts are quite generous, especially for Tier 1 apps which include Gmail, Google Cloud, Google Chrome, Google Play Services, Chrome Remote Desktop, and AGSA. The smallest payout comes in at $600, and scales up to $30,000 for arbitrary code execution that requires no user interaction.
