Google has launched a new bug bounty program, the Mobile Vulnerability Rewards Program (Mobile VRP), designed to pay researchers for discovering security vulnerabilities found in the Android operating system.
In-scope applications for the program include:
- Chrome Remote Desktop (com.google.chromeremotedesktop)
- Google Chrome (com.android.chrome)
- Google Cloud (com.google.android.apps.cloudconsole)
- Gmail (com.google.android.gm)
- Google Play Services (com.google.android.gms)
- AGSA (com.google.android.googlequicksearchbox)
- Apps developed by Google LLC, Developed with Google, Research at Google, Red Hot Labs, Fitbit LLC, Waze, Nest Labs Inc, and Waymo LLC
Google has also defined vulnerabilities that qualify for payment, mostly involving arbitrary code execution and data theft, along with vulnerabilities that can be combined with others to create new attacks.
More information on the types of attacks that are in-scope, along with a payment schedule for vulnerabilities based on type can be found here.
