Find Android bugs, earn up to $30k

In a recent announcement, Google has unveiled a new bug bounty program for Android, inviting skilled individuals to put their expertise to the test and potentially earn substantial rewards. The program promises generous incentives, potentially reaching tens of thousands of dollars, for those who can uncover and report security vulnerabilities within the Android operating system.

See more

We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications. https://t.co/HDs1hnGpbH

— Google VRP (Google Bug Hunters) (@GoogleVRP) May 22, 2023

Outlined in the program summary, the primary emphasis of this Mobile VRP (Vulnerability Reward Program) by Google lies on first-party Android apps. The objective is to identify and address vulnerabilities within these apps, ultimately ensuring the safety and security of users' data. By encouraging researchers to uncover potential flaws, Google aims to fortify the robustness of their Android ecosystem and maintain the privacy of their users.

How does it work, though?

The program encompasses Tier 1 applications, which include prominent offerings such as Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail, and Chrome Remote Desktop. These applications are considered within the scope of the program, aiming to identify and address potential vulnerabilities.

Furthermore, the program extends its coverage beyond Tier 1 apps to include applications developed by various entities. These include Google LLC, Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze. By encompassing apps from these developers, the program aims to cast a wider net in the pursuit of enhancing security across diverse software offerings associated with Google and its affiliated entities.

The reward structure for the bug bounty program commences at a minimum of $500, applicable to the discovery of vulnerabilities such as sensitive data theft or other security issues found within Tier 3 applications. This particular reward level is specifically relevant when the attacker is operating on the same network as the target.

The most substantial rewards are offered for remote arbitrary code execution, where successful findings can lead to prizes of $30,000, $25,000, and $20,000 for Tiers 1, 2, and 3, respectively. This incentivizes researchers to focus on identifying and reporting critical vulnerabilities within the program's specified tiers.

Moreover, the program's panel holds the authority to bestow discretionary bonuses of $1,000. These additional rewards can be granted for various reasons, such as exceptionally surprising vulnerabilities or exceptional write-ups that provide detailed insights and analysis of the discovered vulnerabilities. The discretionary bonuses serve to acknowledge outstanding contributions and exceptional efforts made by participants in the bug bounty program.

In addition to arbitrary code execution and sensitive data theft, the Mobile VRP program recognizes that other vulnerabilities may also have a security impact and will be duly considered. This highlights the program's commitment to thoroughly evaluating potential security risks and ensuring comprehensive coverage.

For further information on the program, including specific examples of non-qualifying discoveries and more detailed guidelines, interested individuals can refer to the official website.

Advertisement