Google Pays $450k for Android Vulnerabilities

by ·

Google has substantially increased the rewards for reporting vulnerabilities that allow successful remote code execution (RCE) in Android applications, raising the maximum cash payout for exceptional reports to $450,000.

The updates pertain to the Mobile Vulnerability Reward Program (Mobile VRP), which now includes so-called tier-one applications, including Google Play services, the Google Search app, Google Cloud, and Gmail.

Under the Mobile VRP, the company now offers $300,000 for vulnerabilities that enable code execution remotely and without user interaction—a sum tenfold greater than the previous reward of $30,000. Moreover, if a bug report is of exceptional quality and includes a root cause analysis, remediation suggestions, and other recommendations, researchers could receive up to the aforementioned $450,000.

A reward of $75,000 has also been announced for exploits that enable the theft of sensitive data without user interaction. Low-quality reports that fail to provide a precise and detailed description of the vulnerability, proof of concept, simple steps for reproducing the vulnerability, and a clear demonstration of the bug’s impact will be compensated at half the rate.

There have also been changes in the structure of the rewards: a two-fold modifier for SDKs is now included in the standard rewards. This increases the total payout amount and simplifies decision-making by expert panels.

Overall, Google’s reward table now looks as follows, excluding increased rewards for reports of exceptional quality:

Kristoffer Blasiak, a Google information security engineer, emphasized that the Mobile VRP, launched in May last year, has already yielded significant results: “The Mobile VRP launched in May 2023, and after one year, it’s time to take a look back at what we’ve achieved. Most importantly, we received over 40 valid security bug reports, nearing $100,000 in rewards paid to security researchers.”

Tags: