Google's Android bug bounty: success story after one year and bonus increase
The Android bug bounty program has been around for a year now. Google considers it a complete success and is increasing the reporting rewards.
(Bild: Virrage Images/Shutterstock.com)
Google takes stock after one year of the "Mobile Vulnerability Reward Program" (VRP), the bug bounty program for Android apps. The company believes it has been a complete success – and is increasing the rewards by a factor of ten in some cases.
In a blog post, the "Bughunters" team writes that 40 valid reports of security vulnerabilities were received through the Android bug bounty program that year. These brought the reporters a total reward of almost 100,000 US dollars.
Android bug bounty: widespread vulnerabilities
The majority of the vulnerabilities fell into the categories of circumvention of authorization restrictions or lack of rights checks, so-called intent redirection (redirection of message objects [=intent] to malicious apps or app components controlled by attackers), problems with CreatePackageContext and typosquatting of package names. The resulting vulnerabilities allowed attackers to execute arbitrary code locally - in some cases even in SDKs developed by Google – execute arbitrary code after following a link or steal sensitive information.
The goal has always been to fix vulnerabilities in Google's Android apps to protect users and their data, Google writes. This should be done by recognizing the hard work and contributions of IT security researchers who help Google to improve the security of its apps. It has been a complete success, but based on feedback from the most capable bug reporters, the second part will be improved.
Mobile Vulnerability Reward Program: Increased rewards
On the one hand, Google has increased the amount it pays out for a vulnerability in the important Google apps –- for a remote code execution vulnerability in a Google Tier 1 app such as Gmail, reporters could now receive up to 300,000 US dollars instead of 30,000. Secondly, more emphasis is being placed on the quality of the reports and the demonstrated effects. With the bonus increases for some areas, Google also wants to direct the focus of IT researchers so that the reports with the worst effects are rewarded appropriately.
Google is introducing a quality-based factor to obtain somewhat more refined reports, which can be used, for example, to more easily reproduce security vulnerabilities and make decisions more quickly. Reports of exceptional quality will receive a factor of 1.5, good quality a factor of 1 and low quality a quality factor of 0.5 for the reward to be paid. The updated rules of the Google Bug Bounty Program provide information on how to achieve these classifications.
Google launched the bug bounty program a year ago. Not only Google's own Android apps are covered, but also those of other companies. This can be worthwhile for IT security researchers: In 2023, Google paid out a total of ten million US dollars to 632 reporters for reported vulnerabilities under the VRP; in 2022, it even paid out 12 million US dollars to 703 IT forensics experts.
(dmk)