23 May 2023

Google offers up to $30K for vulns in Android applications


Google offers up to $30K for vulns in Android applications

Google has announced a new bug bounty program called the Mobile Vulnerability Rewards Program (Mobile VRP) that will offer monetary rewards of up to $30,000 for vulnerabilities in the tech giant’s Android applications.

The goal of the program is to mitigate flaws and improve security in first-party Android apps, developed or maintained by Google.

The new program covers applications published by the following developers:

  • Google LLC

  • Developed with Google

  • Research at Google

  • Red Hot Labs

  • Google Samples

  • Fitbit LLC

  • Nest Labs Inc.

  • Waymo LLC

In-scope vulnerabilities include those that enable an attacker to execute arbitrary code in the context of the vulnerable application (ACE) and security flaws that allow to steal sensitive data from the app.

“In order to qualify, the ACE should allow an attacker to run native code of their choosing on a user’s device without user knowledge or permission, in the same process as the affected app (there is no requirement that the OS sandbox needs to be bypassed),” Google explains.

Additionally, Google may offer a reward for flaws which in themselves might not result in direct ACE or the theft of sensitive data, but need to be used in conjunction with other vulnerabilities to create an exploit chain. These include:

  • Path traversal / zip path traversal vulnerabilities leading to arbitrary file write

  • Intent redirections leading to launching non-exported application components

  • Vulnerabilities caused by unsafe usage of pending intents

  • Orphaned permissions

Google says that it will pay a maximum of $30,000 for issues allowing remote code execution without user interaction and up to $7,500 for vulnerabilities that can be used for remote data theft.

Back to the list

Latest Posts

Cyber Security Week in Review: June 21, 2024

Cyber Security Week in Review: June 21, 2024

In brief: The US bans Russia’s Kaspersky software, Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days, and more.
21 June 2024
Russian Nobelium hackers  target French diplomatic entities and public orgs

Russian Nobelium hackers target French diplomatic entities and public orgs

Nobelium's tactics involve using hacked legitimate email accounts belonging to diplomatic staff to conduct phishing campaigns.
20 June 2024
Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

The group relies heavily on valid credentials for lateral movement between guest virtual machines on compromised VMware ESXi servers.
20 June 2024