Google Mobile VRP
Google on Tuesday announced that the bug bounty rewards offered as part of its Mobile VRP launched last year have been increased ten-fold.
Close to $100,000 has been handed out in bug bounty rewards as part of the program, which kicked off in May 2023 to include Google’s own mobile applications, along with apps from Developed with Google, Research at Google, Google Samples, Red Hot Labs, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze.
Now, the company says researchers can earn as much as $450,000 for a single vulnerability report, should their submission meet certain criteria.
First, the flaw must impact a Tier 1 mobile application, such as Google Play Services, AGSA, Google Cloud, or Gmail, and should lead to remote code execution without user interaction.
Second, the report should be of exceptional quality and include a proposed patch or mitigation and root cause analysis, along with an accurate description of the issue, proof-of-concept (PoC) code, an example APK, explanation of reproduction steps, and impact analysis.
“One of the things we want to achieve is to encourage bug hunters to spend a little more time crafting and refining their reports. To incentivize bug hunters to do so, we established a new reward modifier to reward bug hunters for the extra time and effort they invest when creating high-quality reports that clearly demonstrate the impact of their findings,” according to a note from Google.
Reports without a proposed patch and root cause analysis are considered good quality and may earn researchers up to $300,000 in rewards, a ten-fold increase compared to last year’s rewards. In fact, this is the highest amount Google is offering, but exceptional reports are eligible for receiving a 50% bonus.
Google has increased the top rewards across the chart, offering up to $150,000 for code execution flaws in Tier 2 apps (software that handles user data or interacts with Google apps or services), and up to $45,000 for issues in Tier 3 apps (all other apps in the scope of the program).
However, the internet giant also cautions that vulnerability reports that are considered low quality will be rewarded only half of the reward amount.
Vulnerabilities leading to the theft of sensitive data, path traversal bugs, intent redirection flaws, issues rooted in the unsafe usage of pending interests, and orphaned permission defects are also within the scope of Google’s Mobile VRP.
Related: Zoom Paid Out $10 Million via Bug Bounty Program Since 2019
Related: Microsoft Paid Out $63 Million Since Launch of First Bug Bounty Program
Related: Google Expands Bug Bounty Program With Chrome, Cloud CTF Events