Bug hunters can get up to $450,000 for an RCE in Google’s Android apps
Google has drastically increased the rewards bug hunters can get for reporting vulnerabilities in Android apps it develops and maintains.
“We increased reward amounts by up to 10x in some categories (for example Remote Arbitrary Code Execution in a Tier 1 app went from $30,000 to $300,000),” Google information security engineer Kristoffer Blasiak has pointed out.
Google is also ready to pay more for high-quality reports, so that the Mobile Vulnerability Reward Program team can make faster decisions.
Increased bug bounties
The Google Mobile Vulnerability Reward Program was launched in May 2023, and covers Android apps developed by Google and its subsidiaries (e.g., Fitbit, Waymo, Waze, etc.)
The apps are categorized in three tiers:
- Tier 1 includes Google Play Services, Android Google Search App (AGSA), Google Cloud, and Gmail
- Tier 2 includes apps that interact with either a Tier 1 application, user data, or Google’s services
- Tier 3 includes apps that don’t handle user data or interact with Google’s services
After these latest changes, a bug in a Tier 1 app that can lead to arbitrary code execution and can be triggered remotely and without user interaction can get its discoverer $300,000. If user interaction (e.g., following a link) is required, the award amount is halved.
“We also took the opportunity to focus the reward increases on categories we want researchers to pay particular attention to, to make sure we reward the most impactful reports appropriately,” Blasiak added.
“An example of this is Data theft, where we increased the reward amounts significantly, but we also made sure to give examples of the impact different types of Data theft have; this helps clarify how the data acquired has an impact on the final reward amount.”
Rewards for bugs that may allow attackers to steal sensitive data reach $75,000 if the bug can be exploited remotely, with no user interaction, and $37,500 if user interaction is a prerequisite for exploitation.
Bugs in Tier 2 and Tier 3 apps are covered by the program, but deliver smaller bounties.
Google also wants to incentivize bug hunters to hand in exceptional quality reports – i.e., reports that come with a proposed patch/mitigation, a root cause analysis, and clearly demonstrate the impact of the findings – by pledging to increase the final reward amount by 1.5x.
“Please be succinct: Your report is triaged by security engineers and a short proof-of-concept is more valuable than a video explaining the consequences of a specific bug,” the team says.
Incentivizing ethical hackers to search for vulnerabilities in Android apps by Google
Blasiak says that these changes have been introduced after feedback from their top bug hunters.
A year ago, Google has similarly announced big rewards for reporters of security bugs that can be chained together to fully exploit Chrome.
Google obviously knows and accepts what a group of researchers from University of Pittsburgh and Carnegie Mellon University have recently confirmed after examining bug bounty programs: “Higher bounties incentivize ethical hackers to exert more effort, thereby increasing the probability that they will discover severe vulnerabilities first while reducing the success probability of malicious hackers.”