"Google Launches Bug Bounty Program for Mobile Applications"

Google recently introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities found in the company’s mobile applications.  The Mobile VRP runs alongside the Android and Google Devices security reward program, which rewards security researchers for issues identified in the Android OS, Pixel phones, and Google Nest and Fitbit devices.  Google noted that the new program is specifically designed for first-party Android applications, which fall into three categories.  Tier 1 apps include Google’s own Play Services, AGSA (Android Google Search app), Chrome, Cloud, Gmail, and Chrome Remote Desktop software.  Applications published by Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze are also within scope.  Google stated that as part of Mobile VRP, it is looking for reports describing flaws leading to arbitrary code execution and theft of sensitive data (credentials and personal information) but may also accept submissions of other types of bugs with a security impact, such as path traversal, intent redirections, unsafe usage of pending intents, and orphaned permissions.  The internet giant is willing to pay up to $30,000 for vulnerabilities in Tier 1 apps that can be exploited remotely without user interaction to achieve arbitrary code execution.  The lowest reward for this type of bug is $2,250.  Researchers reporting issues in Tier 2 and Tier 3 apps may earn up to $25,000 and $20,000, respectively, for similar vulnerabilities.  Flaws leading to sensitive data theft and other types of issues will be awarded between $750 and $7,500 for Tier 1 apps, between $625 and $6,250 for Tier 2 software, and between $500 and $5,000 for Tier 3 applications.  Google notes it may also award $1,000 bonuses for surprising vulnerabilities or exceptional writeups.  Google stated that researchers are encouraged to present their findings in a succinct manner, adding a short proof-of-concept (PoC) if possible.  It was noted that researchers interested in participating in the Mobile VRP should only target their own accounts and should submit their findings through Google’s report page.  Additional information on the program can be found on the new Mobile VRP page.

SecurityWeek reports: "Google Launches Bug Bounty Program for Mobile Applications"