Connect with us


Google launches Android app bug bounty program

Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new vulnerability bounty program that will pay security researchers for flaws found in the company’s Android apps.

“We are excited to announce the new Mobile VRP program! We are looking for bug hunters to help us find and fix vulnerabilities in our mobile apps,” says Google VRP.

According to the company, the main goal of Mobile VRP is to speed up the process of finding and fixing weaknesses in Android apps developed or maintained by Google.

The scope of Mobile VRP includes applications developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC and Waze.

The list of apps in scope also includes Android apps that Google refers to as “Tier 1” apps, which include the following apps (and their package names):

  • Google Play Services (
  • AGSA (
  • Google Chrome (
  • Google Cloud (
  • Gmail (
  • Chrome Remote Desktop (

Paid vulnerabilities include those that allow arbitrary code execution (ACE) and theft of sensitive data, as well as vulnerabilities that may be associated with other flaws that could lead to similar consequences.

These include incorrect permissions, arbitrary file writing, intent redirects to launch non-exportable application components, and security bugs caused by insecure use of deferred intents.

“The Mobile VRP program recognizes the contributions and hard work of researchers who are helping Google improve the security of our Android apps,” Google said in a statement.

The goal of the program is to eliminate vulnerabilities in native Android applications and thereby secure users and their data.

In August 2022, the company announced that it would pay security researchers to find bugs in the latest released versions of Google’s open source software (Google OSS), including the most important projects such as Bazel, Angular, Golang, Protocol buffers and Fuchsia.

Since launching its first VRP over a decade ago in 2010, Google has paid over $50 million to thousands of security researchers around the world for reporting over 15,000 vulnerabilities.

In 2021, Google paid out $8.7M and in 2022 paid $12M, including a record $605,000 payout for an Android exploit chain consisting of five separate security bugs, the highest in Android VRP history.

The year before, the same researcher had submitted another critical Android exploit chain, earning another $157,000, the previous record in Android VRP history at the time.