For its Android apps, Google has introduced a new bug bounty program. The internet giant will reward security researchers for vulnerabilities discovered in first-party apps under the Mobile Vulnerability Rewards Program (Mobile VRP). The Mobile VRP’s primary objective is to expedite the process of identifying and resolving vulnerabilities in first-party Android applications.
Apps that fall under Google Mobile VRP
The apps covered by Google’s Mobile VRP are either created by Google LLC or in collaboration with Google. There are also apps from Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze that are being explored.
The following apps are among those that Google refers to as “Tier 1” Android applications and are included in the list of in-scope apps for the bug bounty program: Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop are among the Tier 1 Android apps.
Vulnerabilities that meet the criteria include those that permit arbitrary code execution (ACE), the theft of private information, and faults that can be combined with others to have a similar effect. Orphaned permissions, path traversal or zip path traversal weaknesses that allow for uncontrolled file writing, intent redirections that can be used to run non-exported application components, and security problems brought on by improper use of pending intents are a few of these.
“The Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications,” Google said. “The goal of the program is to mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safe,” Google added.
According to Google, it will pay up to $30,000 for remote code execution that occurs without user input and up to $7,500 for defects that enable the remote theft of sensitive data.