Google Pays $450k for Android Vulnerabilities
Google has substantially increased the rewards for reporting vulnerabilities that allow successful remote code execution (RCE) in Android applications, raising the maximum cash payout for exceptional reports to $450,000.
The updates pertain to the Mobile Vulnerability Reward Program (Mobile VRP), which now includes so-called tier-one applications, including Google Play services, the Google Search app, Google Cloud, and Gmail.
Under the Mobile VRP, the company now offers $300,000 for vulnerabilities that enable code execution remotely and without user interaction—a sum tenfold greater than the previous reward of $30,000. Moreover, if a bug report is of exceptional quality and includes a root cause analysis, remediation suggestions, and other recommendations, researchers could receive up to the aforementioned $450,000.
A reward of $75,000 has also been announced for exploits that enable the theft of sensitive data without user interaction. Low-quality reports that fail to provide a precise and detailed description of the vulnerability, proof of concept, simple steps for reproducing the vulnerability, and a clear demonstration of the bug’s impact will be compensated at half the rate.
There have also been changes in the structure of the rewards: a two-fold modifier for SDKs is now included in the standard rewards. This increases the total payout amount and simplifies decision-making by expert panels.
Overall, Google’s reward table now looks as follows, excluding increased rewards for reports of exceptional quality:
Kristoffer Blasiak, a Google information security engineer, emphasized that the Mobile VRP, launched in May last year, has already yielded significant results: “The Mobile VRP launched in May 2023, and after one year, it’s time to take a look back at what we’ve achieved. Most importantly, we received over 40 valid security bug reports, nearing $100,000 in rewards paid to security researchers.”