Google has enhanced the security of its first-party Android applications by launching the Mobile Vulnerability Reward Program.
The Mobile VRP aims to encourage researchers and security experts to identify and report vulnerabilities in Google-developed or maintained Android apps. It acknowledges vulnerabilities that fall into two major categories: Arbitrary Code Execution (ACE) and Theft of Sensitive Data.
Certain common low-risk vulnerabilities deemed trivially exploitable which are not qualified. A few such issues are described here.
- Vulnerabilities that allow access to non-sensitive media in external storage
- Variants of Strandhogg
- Hardcoded API keys
- Attacks that require a rooted device
In addition to the non-qualifying issues listed above, attack scenarios that require an unreasonable amount of user interaction or social engineering will be considered out of scope.
The Mobile VRP divides applications into three tiers based on their association with user data or Google services. Each tier has corresponding reward amounts, which depend on the vulnerability type and exploitation scenario.
In Tier 1, the maximum rewards range from $750 for MiTM (Man-in-the-Middle) scenarios involving Theft of Sensitive Data to $30,000 for remote/no user interaction ACE vulnerabilities.
Google clarified that only apps published by the developers in the new list or apps in the Tier 1 list qualify for rewards. Other flaws may still be eligible for rewards if they demonstrate a security impact.
Most applications that interact in some way with either a Tier 1 application, user data, or Google’s services fall into the tier 2 category. The maximum rewards range from $625 for MiTM (Man-in-the-Middle) scenarios involving Theft of Sensitive Data to $25,000 for remote/no user interaction ACE vulnerabilities.
Most applications which do not handle user data or interact with Google’s services fall into the tier 3 category. The maximum rewards range from $500 for MiTM (Man-in-the-Middle) scenarios involving Theft of Sensitive Data to $20,000 for remote/no user interaction ACE vulnerabilities.
By offering rewards for contributions, Google said that it hopes to maintain user trust and safeguard sensitive data.