Fri. Jun 2nd, 2023

Google has launched a new bug bounty program for its Android apps. Under the Mobile Vulnerability Rewards Program (Mobile VRP), the tech giant will pay security researchers for flaws found in first-party apps. The official Twitter account of Google VRP has also shared a post announcing the latest bug bounty program. “We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications,” the tweet reads.
The post also includes a link to the page that includes the rules of the Google Mobile VRP. In this blog post, the company has mentioned that the main goal behind the Mobile VRP is to speed up the process of finding and fixing weaknesses in first-party Android apps. This includes apps that are primarily developed or maintained by Google.
Apps that fall under Google Mobile VRP
The apps that come under Google’s Mobile VRP are developed by Google LLC or are developed with Google. It also includes apps that are researched at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.
Google has also divided the apps in three tiers. Tier 1 Android apps include apps like — Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail and Chrome Remote Desktop.
The company has also detailed the vulnerabilities that will qualify for the bug bounty program. It includes flaws that allows arbitrary code execution (ACE) and theft of sensitive data. The admissible security flaws also include weaknesses that could be chained with other vulnerabilities that can lead to a similar impact.

Google has confirmed that it will reward a maximum of $30,000 for bugs that allow remote code execution without user interaction and up to $7,500 for flaws that allow hackers to steal sensitive data remotely.

Category 1) Remote/No User Interaction 2) User must follow a link that exploits the vulnerable app 3) User must install malicious app or victim app is configured in a non-default way 4) Attacker must be on the same network (e.g. MiTM)
Arbitrary Code Execution $30,000 $15,000 $4,500 $2,250
Theft of Sensitive Data $7,500 $4,500 $2,250 $750
Other Vulnerabilities $7,500 $4,500 $2,250 $750

“The Mobile VRP recognises the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications. The goal of the program is to mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safe.” Google noted.

Source link

Tanushree K

By Tanushree


Leave a Reply

Your email address will not be published. Required fields are marked *