April 30, 2024 at 02:35PM
Google has increased rewards for reporting remote code execution vulnerabilities in select Android apps, now offering up to $450,000. The company aims to focus on flaws leading to data theft, paying $75,000 for such exploits. The changes to the Mobile Vulnerability Rewards Program also include bonuses for exceptional quality reports and rule modifications.
Based on the meeting notes, the key takeaways for the Mobile Vulnerability Rewards Program (Mobile VRP) changes at Google are as follows:
1. Rewards for reporting remote code execution (RCE) vulnerabilities within select Android apps have been increased significantly:
– The rewards have been raised from $30,000 to $300,000, with a maximum reward of up to $450,000 for exceptional quality reports.
2. New focus areas for security researchers:
– Google now wants security researchers to concentrate on vulnerabilities that could lead to sensitive data theft.
– Researchers can earn $75,000 for exploits that don’t require user interaction and can be used remotely.
3. Changes in reward structure for bug reports:
– Exceptional quality reports with a proposed patch or effective mitigation and a root cause analysis can earn up to 1.5x the total reward amount, up to $450,000 for an RCE exploit in a Tier 1 Android app.
– Low-quality bug reports will receive half the reward if they do not provide accurate and detailed descriptions, a proof-of-concept exploit, easy steps to reproduce the vulnerability reliably, and a clear demonstration of the bug’s impact.
4. Additional changes to rules and rewards:
– The 2x modifier for SDKs is now incorporated into the regular rewards, leading to increased overall rewards.
5. Progress and achievements of the Mobile VRP:
– Over 40 valid security bug reports were received, leading to nearly $100,000 in rewards paid to security researchers within one year of the program’s launch in May 2023.
These takeaways capture the significant updates and achievements discussed in the meeting.