Google launches bug bounty program
Google has recently unveiled the Mobile Vulnerability Rewards Program (Mobile VRP), a new bug bounty initiative aimed at incentivizing security researchers to identify and report vulnerabilities within the company’s Android applications. This program presents an exciting opportunity for bug hunters to actively participate in making Google’s mobile apps more secure.
We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications. https://t.co/HDs1hnGpbH
— Google VRP (Google Bug Hunters) (@GoogleVRP) May 22, 2023
With the increasing reliance on mobile applications for various tasks, ensuring the security and integrity of these apps is of paramount importance. Google understands the significance of addressing vulnerabilities promptly, and that’s why they have launched the Mobile VRP. This program seeks to expedite the process of identifying and rectifying weaknesses in Google’s first-party Android apps.
The Mobile VRP encompasses a broad range of Android applications within Google’s ecosystem. It includes apps developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze. This extensive scope allows bug hunters to focus their efforts on various applications and areas of potential vulnerability. Additionally, the Mobile VRP places special emphasis on what Google refers to as “Tier 1” Android applications. These apps, such as Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop, are integral to the Android experience. By addressing vulnerabilities in these apps, bug hunters play a vital role in enhancing the overall security of the Android ecosystem.
The Mobile VRP rewards bug hunters for identifying qualifying vulnerabilities that pose a significant risk to user data and system integrity. Such vulnerabilities may include those enabling arbitrary code execution (ACE), theft of sensitive data, or weaknesses that can be exploited in combination with other flaws to achieve a similar impact.
Examples of qualifying vulnerabilities include orphaned permissions, path traversal or zip path traversal flaws leading to arbitrary file write, intent redirections that can be exploited to launch non-exported application components, and security bugs resulting from the unsafe usage of pending intents.
Google acknowledges the severity of these vulnerabilities by offering rewards commensurate with their impact. Bug hunters can receive a maximum reward of $30,000 for identifying remote code execution without user interaction and up to $7,500 for reporting bugs that allow the remote theft of sensitive data.
“The Mobile VRP recognizes the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications, The goal of the program is to mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safe.” Said Google
The Mobile VRP recognizes and appreciates the valuable contributions made by security researchers in bolstering the security posture of Google’s first-party Android applications. By actively participating in this program, bug hunters play an essential role in mitigating vulnerabilities and ensuring the safety of users and their data. The ultimate goal of the Mobile VRP is to create a robust and secure environment for Android app users. Google remains committed to actively engaging with the security community and fostering collaboration to improve the overall security of its mobile applications.
Source
Recently,