The post also includes a link to the page that includes the rules of the Google Mobile VRP. In this blog post, the company has mentioned that the main goal behind the Mobile VRP is to speed up the process of finding and fixing weaknesses in first-party Android apps. This includes apps that are primarily developed or maintained by Google.
Apps that fall under Google Mobile VRP
The apps that come under Google’s Mobile VRP are developed by Google LLC or are developed with Google. It also includes apps that are researched at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.
Google has also divided the apps in three tiers. Tier 1 Android apps include apps like — Google Play Services, AGSA, Google Chrome, Google Cloud, Gmail and Chrome Remote Desktop.
The company has also detailed the vulnerabilities that will qualify for the bug bounty program. It includes flaws that allows arbitrary code execution (ACE) and theft of sensitive data. The admissible security flaws also include weaknesses that could be chained with other vulnerabilities that can lead to a similar impact.
Google has confirmed that it will reward a maximum of $30,000 for bugs that allow remote code execution without user interaction and up to $7,500 for flaws that allow hackers to steal sensitive data remotely.
| Category | 1) Remote/No User Interaction | 2) User must follow a link that exploits the vulnerable app | 3) User must install malicious app or victim app is configured in a non-default way | 4) Attacker must be on the same network (e.g. MiTM) |
| Arbitrary Code Execution | $30,000 | $15,000 | $4,500 | $2,250 |
| Theft of Sensitive Data | $7,500 | $4,500 | $2,250 | $750 |
| Other Vulnerabilities | $7,500 | $4,500 | $2,250 | $750 |
“The Mobile VRP recognises the contributions and hard work of researchers who help Google improve the security posture of our first-party Android applications. The goal of the program is to mitigate vulnerabilities in first-party Android applications, and thus keep users and their data safe.” Google noted.
function loadGtagEvents(isGoogleCampaignActive) { if (!isGoogleCampaignActive) { return; } var id = document.getElementById('toi-plus-google-campaign'); if (id) { return; } (function(f, b, e, v, n, t, s) { t = b.createElement(e); t.async = !0; t.defer = !0; t.src = v; t.id = 'toi-plus-google-campaign'; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s); })(f, b, e, 'https://www.googletagmanager.com/gtag/js?id=AW-877820074', n, t, s); };
window.TimesApps = window.TimesApps || {}; var TimesApps = window.TimesApps; TimesApps.toiPlusEvents = function(config) { var isConfigAvailable = "toiplus_site_settings" in f && "isFBCampaignActive" in f.toiplus_site_settings && "isGoogleCampaignActive" in f.toiplus_site_settings; var isPrimeUser = window.isPrime; if (isConfigAvailable && !isPrimeUser) { loadGtagEvents(f.toiplus_site_settings.isGoogleCampaignActive); loadFBEvents(f.toiplus_site_settings.isFBCampaignActive); } else { var JarvisUrl="https://jarvis.indiatimes.com/v1/feeds/toi_plus/site_settings/643526e21443833f0c454615?db_env=published"; window.getFromClient(JarvisUrl, function(config){ if (config) { loadGtagEvents(config?.isGoogleCampaignActive); loadFBEvents(config?.isFBCampaignActive); } }) } }; })( window, document, 'script', );
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.