Security News > 2024 > May > Bug hunters can get up to $450,000 for an RCE in Google’s Android apps

Google has drastically increased the rewards bug hunters can get for reporting vulnerabilities in Android apps it develops and maintains.

"We increased reward amounts by up to 10x in some categories," Google information security engineer Kristoffer Blasiak has pointed out.

The Google Mobile Vulnerability Reward Program was launched in May 2023, and covers Android apps developed by Google and its subsidiaries.

Google also wants to incentivize bug hunters to hand in exceptional quality reports - i.e., reports that come with a proposed patch/mitigation, a root cause analysis, and clearly demonstrate the impact of the findings - by pledging to increase the final reward amount by 1.5x. "Please be succinct: Your report is triaged by security engineers and a short proof-of-concept is more valuable than a video explaining the consequences of a specific bug," the team says.

Incentivizing ethical hackers to search for vulnerabilities in Android apps by Google.

Google obviously knows and accepts what a group of researchers from University of Pittsburgh and Carnegie Mellon University have recently confirmed after examining bug bounty programs: "Higher bounties incentivize ethical hackers to exert more effort, thereby increasing the probability that they will discover severe vulnerabilities first while reducing the success probability of malicious hackers."

News URL

https://www.helpnetsecurity.com/2024/05/03/google-android-apps-vulnerabilities/