Google is now offering a bounty of up to $450,000 for reporting remote code execution (RCE) vulnerabilities within select Android apps.
For those unaware, RCE is a cyberattack whereby an attacker can remotely executeย malicious code on a target computer, no matterย where it is located, in order to deploy additional malware or steal sensitive data.
Previously, the reward for reporting RCE vulnerabilities in the Tier 1 app was $30,000, which has now increased up to 10 times to $300,000.
These changes were made to the Mobile Vulnerability Rewards Program (Mobile VRP) launched in 2023, which focuses on first-party Android apps developed or maintained by Google.
The goal of this program is โto mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safeโ by โrecognizing the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications.โ
Since Mobile VRP’s launch, Google has received over 40 valid security bug reports, for which it has paid nearly $100,000 in rewards to security researchers.
Coming to Tier 1, the list of in-scope apps includesย Google Play Services, theย Android Google Search app (AGSA),ย Google Cloud, andย Gmail.
Google now also wants security researchers to pay particular attention to flaws that could lead to the theft of sensitive data. For exploits that require remote or no user interaction, researchers would be paid $75,000.
Further, the tech giant will pay 1.5 times the total reward amount for exceptional-quality reports that include a proposed patch or effective mitigation of the vulnerability, as well as a root cause analysis that helps to find other similar variants of the issue. This would enable researchers to earn up to $450,000 for an RCE exploit in a Tier 1 Android app.
However, the researchers would get half the reward for low-quality bug reports that don’t provide:
- An accurate and detailed description of the issue
- A proof-of-concept exploit
- An example application in the form of an APK
- A step-by-step explanation of how to reproduce the vulnerability reliably
- A clear analysis and demonstration of the impact of the vulnerability
Category | 1) Remote/No User Interaction | 2) User must follow a link that exploits the vulnerable app | 3) User must install malicious app or victim app is configured in a non-default way | 4) Attacker must be on the same network (e.g. MiTM) |
---|---|---|---|---|
A) Arbitrary Code Execution | $300,000 | $150,000 | $15,000 | $9,000 |
B) Theft of Sensitive Data* | $75,000 | $37,500 | $9,000 | $6,000 |
C) Other Vulnerabilities | $24,000 | $9,000 | $4,500 | $2,400 |
โSome additional, smaller changes were also made to our rules. For example, the 2x modifier for SDKs is now baked into the regular rewards. This should increase overall rewards, and will make panel decisions easier,โ Google information security engineer Kristoffer Blasiakย said.