Google has announced a new bug bounty program called the Mobile Vulnerability Rewards Program (Mobile VRP) that will offer monetary rewards of up to $30,000 for vulnerabilities in the tech giant’s Android applications.
The goal of the program is to mitigate flaws and improve security in first-party Android apps, developed or maintained by Google.
The new program covers applications published by the following developers:
Google LLC
Developed with Google
Research at Google
Red Hot Labs
Google Samples
Fitbit LLC
Nest Labs Inc.
Waymo LLC
In-scope vulnerabilities include those that enable an attacker to execute arbitrary code in the context of the vulnerable application (ACE) and security flaws that allow to steal sensitive data from the app.
“In order to qualify, the ACE should allow an attacker to run native code of their choosing on a user’s device without user knowledge or permission, in the same process as the affected app (there is no requirement that the OS sandbox needs to be bypassed),” Google explains.
Additionally, Google may offer a reward for flaws which in themselves might not result in direct ACE or the theft of sensitive data, but need to be used in conjunction with other vulnerabilities to create an exploit chain. These include:
Path traversal / zip path traversal vulnerabilities leading to arbitrary file write
Intent redirections leading to launching non-exported application components
Vulnerabilities caused by unsafe usage of pending intents
Orphaned permissions
Google says that it will pay a maximum of $30,000 for issues allowing remote code execution without user interaction and up to $7,500 for vulnerabilities that can be used for remote data theft.