Google reveals bug bounty program for its own Android apps like Chrome, Gmail and the search widget

In brief: Last year, Google's bug bounty program awarded no less than $12 million to researchers who identified security flaws in its products and services. That figure is up significantly from the $8.7 million paid in 2021 and is expected to continue to increase in the coming years. The company is now extending its security research efforts with a new program that targets first-party Android apps.

Earlier this month, Google updated the Android and Google Devices Vulnerability Reward Program (VRP) with a new quality rating system for bug reports and increased the maximum reward for finding critical vulnerabilities to $15,000. The company explained at the time that this would make it easier to fix security flaws in Pixel phones, Google Nest devices, and Fitbit wearables, as well as the Android OS in a more timely manner.

This week, the company launched the Mobile Vulnerability Rewards Program (Mobile VRP), which targets researchers interested in poking and prodding the security of Android apps made by Google or other Alphabet-owned companies.

The new program classifies first-party Android apps into three tiers. The first tier includes the most important apps, such as Google Play Services, Google Chrome, Gmail, Chrome Remote Desktop, Google Cloud, and AGSA (the Google Search widget in Android). Tier two and Tier 3 apps include those developed by Google's research division, Google Samples, Red Hot Labs, Nest Labs, Waymo, and Waze.

As for the types of security vulnerabilities that qualify for the Mobile VRP program, Google says it's mostly interested in bugs that allow arbitrary code execution and data theft, so its security engineers will prioritize such reports. That said, the company is also looking to learn about other security flaws that could be used as part of exploit chains, including path traversal or zip path traversal vulnerabilities, orphaned permissions, and intent redirections that could be used to launch non-exported application components.

Rewards vary based on the severity of the discovered flaw and the affected apps, and Google is willing to pay as much as $30,000 for finding flaws that allow attackers to execute remote code without user interaction. The most substantial rewards for finding a serious flaw in Tier 2 and Tier 3 apps are $25,000 and $20,000, respectively. The lowest amount awarded for a qualifying report is $500, but Google may also apply a $1,000 bonus for exceptional writeups.

Also read: Does Android need saving? If yes, here's how to do it.

Google's bug bounty program is among the largest in the tech industry, with $12 million paid out to security researchers in 2022 alone. The highest reward was $605,000 for an expert that discovered an exploit chain comprised of five vulnerabilities in Android.

Security researchers who are interested in the Mobile VRP can find more details here. Google says reports must be succinct and include a short proof-of-concept if possible – some guidelines on how to submit better bug reports can be found here.

In related news, researchers this week detailed a new brute-force attack that can bypass fingerprint locks on Android phones. It affects several popular models from companies like Samsung, Xiaomi, and OnePlus, and the exploit can be performed in a relatively short amount of time and with relatively inexpensive hardware.

Masthead credit: Alexander London