Google has launched the Cellular Vulnerability Rewards Program (Cellular VRP), a brand new bug bounty program that may pay safety researchers for flaws discovered within the firm’s Android purposes.
“We’re excited to announce the brand new Cellular VRP! We’re searching for bughunters to assist us discover and repair vulnerabilities in our cell purposes,” Google VRP tweeted.
As the corporate stated, the primary aim behind the Cellular VRP is to hurry up the method of discovering and fixing weaknesses in first-party Android apps, developed or maintained by Google.
Functions in scope for the Cellular VRP embrace these developed by Google LLC, Developed with Google, Analysis at Google, Pink Scorching Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.
The checklist of in-scope apps additionally comprises what Google describes as “Tier 1” Android purposes, which incorporates the next apps (and their package deal names):
- Google Play Companies (com.google.android.gms)
- AGSA( com.google.android.googlequicksearchbox)
- Google Chrome (com.android.chrome)
- Google Cloud (com.google.android.apps.cloudconsole)
- Gmail (com.google.android.gm)
- Chrome Distant Desktop (com.google.chromeremotedesktop)
Qualifying vulnerabilities embrace these permitting arbitrary code execution (ACE) and theft of delicate knowledge, and weaknesses that could possibly be chained with different flaws to result in an identical impression.
These embrace orphaned permissions, path traversal or zip path traversal flaws resulting in arbitrary file write, intent redirections that may be exploited to launch non-exported utility elements, and safety bugs attributable to unsafe utilization of pending intents.
Google says that it’ll reward a most of $30,000 for distant code execution with out consumer interplay and as much as $7,500 for bugs permitting the theft of delicate knowledge remotely.
| Class | 1) Distant/No Person Interplay | 2) Person should comply with a hyperlink that exploits the weak app | 3) Person should set up malicious app or sufferer app is configured in a non-default method | 4) Attacker have to be on the identical community (e.g. MiTM) |
|---|---|---|---|---|
| Arbitrary Code Execution | $30,000 | $15,000 | $4,500 | $2,250 |
| Theft of Delicate Knowledge | $7,500 | $4,500 | $2,250 | $750 |
| Different Vulnerabilities | $7,500 | $4,500 | $2,250 | $750 |
“The Cellular VRP acknowledges the contributions and onerous work of researchers who assist Google enhance the safety posture of our first-party Android purposes,” Google stated.
“The aim of this system is to mitigate vulnerabilities in first-party Android purposes, and thus maintain customers and their knowledge secure.”
In August 2022, the corporate introduced it will pay safety researchers to search out bugs within the newest launched variations of Google open-source software program (Google OSS), together with its most delicate initiatives like Bazel, Angular, Golang, Protocol buffers, and Fuchsia.
Since launching its first VRP over a decade in the past, in 2010, Google has rewarded greater than $50 million to 1000’s of safety researchers worldwide for reporting over 15,000 vulnerabilities.
In 2022 it awarded $12 million, together with a record-breaking $605,000 payout for an Android exploit chain of 5 separate safety bugs reported by gzobqq, the best in Android VRP historical past.
One 12 months earlier than, the identical researcher submitted one other important exploit chain in Android, incomes one other $157,000—the earlier bug bounty report in Android VRP historical past on the time.
