Google Launches Bug Bounty Program For Its Android Applications

Tech giant Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new bug bounty program that will pay security researchers for flaws found in the company’s Android applications.

“We are excited to announce the new Mobile VRP! We are looking for bug hunters to help us find and fix vulnerabilities in our mobile applications,” Google VRP tweeted.

Applications in scope for the Mobile VRP include those developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.

The list of in-scope apps also contains what Google describes as “Tier 1” Android applications, which includes the following apps (and their package names):

• Google Play Services (com.google.android.gms)
• AGSA( com.google.android.googlequicksearchbox)
• Google Chrome (com.android.chrome)
• Google Cloud (com.google.android.apps.cloudconsole)
• Gmail (com.google.android.gm)
• Chrome Remote Desktop (com.google.chromeremotedesktop)

Qualifying vulnerabilities include those allowing arbitrary code execution (ACE) and theft of sensitive data, and weaknesses that could be chained with other flaws to lead to a similar impact.

These include orphaned permissions, path traversal or zip path traversal flaws leading to arbitrary file write, intent redirections that can be exploited to launch non-exported application components, and security bugs caused by unsafe usage of pending intents.

Google says that it will reward a maximum of $30,000 for remote code execution without user interaction and up to $7,500 for bugs allowing the theft of sensitive data remotely.

“The Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications,” Google said.

“The goal of the program is to mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safe.”