Google launches Android app bug bounty program
Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new vulnerability bounty program that will pay security researchers for flaws found in the company’s Android apps.
“We are excited to announce the new Mobile VRP program! We are looking for bug hunters to help us find and fix vulnerabilities in our mobile apps,” says Google VRP.
According to the company, the main goal of Mobile VRP is to speed up the process of finding and fixing weaknesses in Android apps developed or maintained by Google.
The scope of Mobile VRP includes applications developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC and Waze.
The list of apps in scope also includes Android apps that Google refers to as “Tier 1” apps, which include the following apps (and their package names):
- Google Play Services (com.google.android.gms)
- AGSA (com.google.android.googlequicksearchbox)
- Google Chrome (com.android.chrome)
- Google Cloud (com.google.android.apps.cloudconsole)
- Gmail (com.google.android.gm)
- Chrome Remote Desktop (com.google.chromeremotedesktop)
Paid vulnerabilities include those that allow arbitrary code execution (ACE) and theft of sensitive data, as well as vulnerabilities that may be associated with other flaws that could lead to similar consequences.
These include incorrect permissions, arbitrary file writing, intent redirects to launch non-exportable application components, and security bugs caused by insecure use of deferred intents.
“The Mobile VRP program recognizes the contributions and hard work of researchers who are helping Google improve the security of our Android apps,” Google said in a statement.
The goal of the program is to eliminate vulnerabilities in native Android applications and thereby secure users and their data.
In August 2022, the company announced that it would pay security researchers to find bugs in the latest released versions of Google’s open source software (Google OSS), including the most important projects such as Bazel, Angular, Golang, Protocol buffers and Fuchsia.
Since launching its first VRP over a decade ago in 2010, Google has paid over $50 million to thousands of security researchers around the world for reporting over 15,000 vulnerabilities.
In 2021, Google paid out $8.7M and in 2022 paid $12M, including a record $605,000 payout for an Android exploit chain consisting of five separate security bugs, the highest in Android VRP history.
The year before, the same researcher had submitted another critical Android exploit chain, earning another $157,000, the previous record in Android VRP history at the time.
Mobile App Development Best Practices – 06.06
iOS SwiftUI Testing: a Pragmatic Approach Enhancing Security in iOS Applications: Best Practices and Code Examples Beautify Code Without Optionals...
Apple announces Vision Pro augmented reality headset
The Vision Pro is marketed primarily as an AR device, but it can switch between augmented and full virtual reality...
WWDC 2023 Keynote
Check out the WWDC23 keynote, where the latest Apple Vision Pro, MacBook Air 15″, software, services and operating systems were...
LeetCode by Swift – Solutions to LeetCode by Swift
LeetCode Online Judge is a website containing many algorithm questions. Most of them are real interview questions of Google, Facebook, LinkedIn, Apple, etc....
Mobile App Development Best Practices – 05.06
iOS Using Upcoming Feature Flags Network Path Monitoring What’s new in Swift 5.9? Building a robust clean architecture/VIPER iOS app...
Create a game with libGDX
In this exciting episode of our show, we dive into the thrilling world of game development with our guest, Daniele...