Google has announced a new bug bounty program called the Mobile Vulnerability Rewards Program (Mobile VRP) that will offer monetary rewards of up to $30,000 for vulnerabilities in the tech giant’s Android applications.
The goal of the program is to mitigate flaws and improve security in first-party Android apps, developed or maintained by Google.
The new program covers applications published by the following developers:
-
Google LLC
-
Developed with Google
-
Research at Google
-
Red Hot Labs
-
Google Samples
-
Fitbit LLC
-
Nest Labs Inc.
-
Waymo LLC
In-scope vulnerabilities include those that enable an attacker to execute arbitrary code in the context of the vulnerable application (ACE) and security flaws that allow to steal sensitive data from the app.
“In order to qualify, the ACE should allow an attacker to run native code of their choosing on a user’s device without user knowledge or permission, in the same process as the affected app (there is no requirement that the OS sandbox needs to be bypassed),” Google explains.
Additionally, Google may offer a reward for flaws which in themselves might not result in direct ACE or the theft of sensitive data, but need to be used in conjunction with other vulnerabilities to create an exploit chain. These include:
-
Path traversal / zip path traversal vulnerabilities leading to arbitrary file write
-
Intent redirections leading to launching non-exported application components
-
Vulnerabilities caused by unsafe usage of pending intents
-
Orphaned permissions
Google says that it will pay a maximum of $30,000 for issues allowing remote code execution without user interaction and up to $7,500 for vulnerabilities that can be used for remote data theft.