Google just really upped the ante for vulnerability hunters by increasing the rewards for finding bugs tenfold of Remote Code Execution (RCE) in certain Android applications. Now, if you are a security expert and have a good eye for bugs, you can earn up to $300,000, with the possibility of up to $450,000 for exception reports.
This major change to the Mobile Vulnerability Reward Program (Mobile VRP) targets Tier 1 apps, which include critical services like Google Play Services, Google Search Android App (AGSA), Google Cloud, and Gmail. Google now wants researchers to focus on bugs that can lead to the theft of sensitive data, offering $75,000 to exploit them without user interaction and doable remotely.
For exceptional quality reports that include a proposed patch, effective mitigation, and root cause analysis, Google is willing to pay 1.5 times the total reward amount. But beware, for low-quality reports that do not provide detailed descriptions, a demonstrative exploit, or clear steps to reproduce the vulnerability, the reward is halved.
As part of this program, Google also introduced minor rule changes, such as integrating the 2x multiplier for SDKs into the regular rewards, thereby simplifying the panel’s decision-making process and generally increasing the rewards awarded.
Launched in May 2023, Mobile VRP was primarily aimed at speeding up the discovery and remediation of security vulnerabilities in Android applications developed or maintained by Google. A year after its launch, the program has received more than 40 valid security reports, approaching $100,000 in rewards paid to researchers.
