Google has elevated rewards for reporting distant code execution vulnerabilities inside choose Android apps by ten instances, from $30,000 to $300,000, with the utmost reward reaching $450,000 for distinctive high quality experiences.
The corporate made these adjustments to the Cell Vulnerability Rewards Program (Cell VRP) and so they apply to what it describes as Tier 1 functions.
The listing of in-scope apps consists of Google Play Companies, the Android Google Search app (AGSA), Google Cloud, and Gmail.
Google now additionally desires safety researchers to give attention to flaws that would result in delicate knowledge theft and can now pay them $75,000 for exploits that do not require person interplay and can be utilized remotely.
For distinctive high quality experiences that embody a proposed patch or efficient mitigation and a root trigger evaluation to assist discover different challenge variants, the corporate can pay 1.5x the entire reward quantity, permitting researchers to earn as much as $450,000 for an RCE exploit in a Tier 1 Android app.
Nonetheless, they will get half the reward for low-quality bug experiences that do not present:
- Correct and detailed descriptions,
- A proof-of-concept exploit,
- Simple steps to breed the vulnerability reliably,
- A transparent demonstration of the bug’s influence.
| Class | Distant/No Person Interplay | By way of hyperlink click on | By way of malicious app /with non-default config | Attacker on similar community |
|---|---|---|---|---|
| Code Execution | $300,000 | $150,000 | $15,000 | $9,000 |
| Knowledge Theft | $75,000 | $37,500 | $9,000 | $6,000 |
| Different Vulns | $24,000 | $9,000 | $4,500 | $2,400 |
“Some additional, smaller changes were also made to our rules. For example, the 2x modifier for SDKs is now baked into the regular rewards. This should increase overall rewards, and will make panel decisions easier,” Google data safety engineer Kristoffer Blasiak stated.
Google launched the Cell VRP final Might to pay safety researchers for vulnerabilities within the firm’s Android functions.
The bug bounty program’s fundamental purpose was to hurry up the method of discovering and fixing safety weaknesses in first-party Android apps maintained or developed by Google.
“The Cell VRP launched in Might 2023, and after one yr, it is time to have a look again at what we have achieved,” Blasiak added.
“Most importantly, we received over 40 valid security bug reports, nearing $100,000 in rewards paid to security researchers.”
