- Google rewards reporting vulnerabilities in Android apps.
- Rewards vary based on severity, app tier, and impact.
- Promptly report critical vulnerabilities for compensation.
While it’s possible to use Android without Google apps by opting for a custom ROM without them, the functionality they provide is essential and forms the foundation of numerous features on our smartphones.
Consequently, just like a vulnerability in Android could cause significant issues, a vulnerability in one of Google’s core apps and services could also lead to a troublesome situation. To address this, Google has recently introduced an enticing bounty program, encouraging individuals to identify and report any vulnerabilities they discover within the company’s apps.
Google has added a new Vulnerability Reward Program (VRP) called the Mobile VRP that focuses on its first-party Android apps.— Mishaal Rahman (@MishaalRahman) May 23, 2023
Security researchers that disclose qualifying vulnerabilities impacting Android apps developed or maintained by Google can be rewarded depending on the… pic.twitter.com/v7RszpNUPF
The newly unveiled program, known as the Vulnerability Reward Program (VRP), specifically focuses on Google’s Android apps. It ensures that anyone who happens to stumble upon a critical issue that Google doesn’t want malicious actors to exploit will be duly rewarded. While Google already had a similar program in place for Android itself and its open-source apps, it has now extended it to encompass the apps that hold the highest priority for the company. The amount of the reward varies based on the severity of the reported issue, the app it affects, and the tier to which the app belongs.
The prize amount is contingent upon the tier and severity of the reported vulnerability. Discovering a vulnerability in a tier 1 app(like Google Play Services, Google Cloud, Google Chrome, Gmail, Chrome Remote Desktop, and the Google app) that permits remote arbitrary code execution will earn you an impressive $30,000. Similarly severe issues found in tier 2 apps(first-party apps that interact with tier 1 apps) qualify for a reward of $25,000, while tier 3 apps (apps that neither interact with Google services nor handle user data) warrant $20,000. Subsequently, the prize diminishes as the severity of the vulnerability decreases. For instance, identifying a vulnerability that enables network-based attacks on a tier 3 app will earn you a modest $500.
If you happen to uncover a critical vulnerability, be sure to promptly inform Google, and the company will duly compensate you for your efforts.