Google launches a bug bounty program for its Android apps, with a maximum reward of $30,000

Mid-month, Google augmented its Android Vulnerability Rewards Program and has now declared the initiation of a novel reward scheme for the discovery of vulnerabilities within a selection of its own Android applications, thereby fostering an environment conducive to security researchers probing these applications for potential vulnerabilities.

The fresh vulnerability reward initiative is titled Mobile VRP, with Google expressing its keen desire to enlist the assistance of capable sleuths in the identification and subsequent rectification of security loopholes within its mobile applications. As a consequence of this, the applications encompassed by the Mobile VRP are proprietary Google applications, pre-installed on Android devices. The rewards proffered contingent on the nature of the vulnerability and the operations involved, are tiered into four strata, with the apex reward, for a zero-click vulnerability allowing remote execution of arbitrary code without user interaction, reaching up to $30,000.

The four reward tiers correspond to: remote vulnerabilities requiring no user interaction; the user must click on a link for an application susceptible to exploitation; the user must install a malevolent application or configure the target application in a non-default manner; and the perpetrator and victim must share a network, such as in a Man-in-the-Middle (MiTM) attack.

Based on the respective tier, the maximum rewards are $30,000, $15,000, $4,500, and $2,250. Google avers its hope that researchers will actively engage, with the intention of diminishing the vulnerabilities in first-party Android applications, thereby ensuring the security of users and their data.