Google Unveils Bug Bounty Program For Android Apps

Written by

Google has enhanced the security of its first-party Android applications by launching the Mobile Vulnerability Reward Program (Mobile VRP).

The tech giant made the announcement on Twitter Monday, hours after publishing the new initiative.

The Mobile VRP aims to encourage researchers and security experts to identify and report vulnerabilities in Google-developed or maintained Android apps. 

The program acknowledges vulnerabilities that fall into two major categories: Arbitrary Code Execution (ACE) and Theft of Sensitive Data. 

Read more on Google’s privacy and security efforts: Apple and Google Unveil Industry Specification For Unwanted Tracking

The Mobile VRP divides applications into three tiers based on their association with user data or Google services. Each tier has corresponding reward amounts, which depend on the vulnerability type and exploitation scenario. 

In Tier 1, the maximum rewards range from $750 for MiTM (Man-in-the-Middle) scenarios involving Theft of Sensitive Data to $30,000 for remote/no user interaction ACE vulnerabilities.

“The panel can apply a discretionary $1,000 bonus – e.g., for a particularly surprising vulnerability or an exceptional writeup,” read the program rules.

Google clarified that only apps published by the developers in the new list or apps in the Tier 1 list qualify for rewards. However, the firm acknowledged that other flaws may still be eligible for rewards if they demonstrate a security impact.

By offering rewards for contributions, Google said that it hopes to maintain user trust and safeguard sensitive data.

“The Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications,” reads the post.

“The goal of the program is to mitigate vulnerabilities in first-party Android applications and thus keep users and their data safe.”

The Mobile VRP comes weeks after Google unveiled a new policy for Android apps that enable account creation.

Editorial image credit: Primakov / Shutterstock.com

What’s hot on Infosecurity Magazine?