May 2023 – Google, a pioneer in internet-related services and technology, has recently updated its Android Vulnerability Reward Program (VRP). In a push to fortify the security of its native Android apps, the tech giant has launched an exciting new program that calls upon the expertise of security researchers worldwide.
Dubbed the Mobile VRP, the new initiative is Google’s way of inviting ‘bug hunters’ to identify and rectify potential security flaws in its mobile applications. This program specifically targets Google’s proprietary applications preinstalled on Android devices.
Applications included in the Mobile VRP are:
– Google Play Services (com.google.android.gms)
– AGSA( com.google.android.googlequicksearchbox)
– Google Chrome (com.google.android.chrome)
– Google Cloud (com.google.android.apps.cloudconsole)
– Gmail (com.google.android.gm)
– Chrome Remote Desktop (com.google.chromeremotedesktop)
Reward tiers are set based on the vulnerability type and operation, with the topmost being a $30,000 reward for zero-click vulnerabilities, where remote code execution can occur without any user interaction.
The four tiers are structured as follows: remote/no user interaction, user required to click a link of a vulnerable app, user required to install a malicious app or non-default configuration of the target app, and attacker and victim on the same network, such as a Man-in-the-Middle (MiTM) attack.
The maximum rewards for each tier are $30,000, $15,000, $4,500, and $2,250 respectively. Google hopes that these attractive incentives will spur researchers into actively participating, subsequently reducing the vulnerability of first-party Android apps and ensuring user data security.
For more information about the Mobile VRP, you can visit the official program rules page at: https://bughunters.google.com/about/rules/6618732618186752/google-mobile-vulnerability-reward-program-rules
This latest move by Google once again underscores its commitment to security and underlines the crucial role the security research community plays in bolstering user data safety. By bringing fresh eyes to the task, Google continues its mission of maintaining an unassailable security posture in an increasingly cyber-threatened world.