Google has introduced Mobile VRP (vulnerability rewards program), a bug bounty initiative that focuses on identifying vulnerabilities in its mobile applications. The program specifically covers first-party Android apps developed or maintained by Google, including popular ones like Chrome, Gmail, and Play Services.
Google aims to reward ethical hackers who discover flaws such as arbitrary code execution vulnerabilities and those that could lead to the theft of sensitive data.
The Mobile VRP bug bounty program is limited to apps published by specific developers or those in the Tier 1 list, which includes various Google entities, Fitbit, Nest Labs, Waymo, and Waze. Google’s rewards are based on the severity of the vulnerability and the level of user interaction required for exploitation.
For Tier 1 apps, white-hat hackers can earn up to $30,000 for remotely exploitable vulnerabilities that achieve arbitrary code execution without user interaction.
In addition to the monetary rewards, Google may provide a discretionary $1,000 bonus for particularly surprising or exceptional vulnerabilities. The company emphasizes ethical conduct throughout the program, urging bug hunters to focus their investigations on their own accounts and refrain from accessing unauthorized data or engaging in disruptive activities that could harm fellow users or Google.
Interested individuals can participate in the Mobile VRP by submitting their findings through Google’s dedicated report page.
With the launch of Mobile VRP, Google aims to strengthen the security of its mobile applications by collaborating with the security community to identify and address potential vulnerabilities, thereby enhancing user protection and privacy.