Dobra Corporation has announced record awards for critical RCES in Android apps.
Google significantly increased rewards for reporting vulnerabilities that allow successful remote code execution (RCE) in Android apps, raising the maximum cash payout for outstanding reports to $450,000.
The updates affect the Mobile Vulnerability Reward Program (Mobile VRP), which now includes so-called first-level applications, including Google Play services, Google Search, Google Cloud and Gmail.
As part of the Mobile VRP program, the company is now offering $300,000 for vulnerabilities that allow code execution remotely and without user input. It is noteworthy that previously the amount for detecting such vulnerabilities was ten times less — $30,000. Moreover, if the bug report is of exceptional quality and includes an analysis of the root cause, suggestions for fixing and other recommendations, researchers will be able to receive up to $450,000, mentioned above.
A reward of $75,000 was also announced for exploits that make it possible to steal sensitive data without user interaction. Low-quality reports that do not provide an accurate and detailed description of the vulnerability, a proof of concept, simple steps to reproduce the vulnerability, and a clear demonstration of the impact of the bug will be paid in half.
There have also been changes in the reward structure: now the two-time modifier for the SDK is already included in the standard rewards. This increases the total amount of payments and simplifies decision-making by expert groups.
In general, the Google rewards table now looks like this, not including increased rewards for reports of exceptional quality:
Kristoffer Blaziak, an information security engineer at Google, emphasized that the Mobile VRP program, launched in May last year, has already brought significant results: "Most importantly, we have received more than 40 valid reports of security errors, and the reward for researchers is very close to the mark of 100 thousand dollars."
Google significantly increased rewards for reporting vulnerabilities that allow successful remote code execution (RCE) in Android apps, raising the maximum cash payout for outstanding reports to $450,000.
The updates affect the Mobile Vulnerability Reward Program (Mobile VRP), which now includes so-called first-level applications, including Google Play services, Google Search, Google Cloud and Gmail.
As part of the Mobile VRP program, the company is now offering $300,000 for vulnerabilities that allow code execution remotely and without user input. It is noteworthy that previously the amount for detecting such vulnerabilities was ten times less — $30,000. Moreover, if the bug report is of exceptional quality and includes an analysis of the root cause, suggestions for fixing and other recommendations, researchers will be able to receive up to $450,000, mentioned above.
A reward of $75,000 was also announced for exploits that make it possible to steal sensitive data without user interaction. Low-quality reports that do not provide an accurate and detailed description of the vulnerability, a proof of concept, simple steps to reproduce the vulnerability, and a clear demonstration of the impact of the bug will be paid in half.
There have also been changes in the reward structure: now the two-time modifier for the SDK is already included in the standard rewards. This increases the total amount of payments and simplifies decision-making by expert groups.
In general, the Google rewards table now looks like this, not including increased rewards for reports of exceptional quality:
Kristoffer Blaziak, an information security engineer at Google, emphasized that the Mobile VRP program, launched in May last year, has already brought significant results: "Most importantly, we have received more than 40 valid reports of security errors, and the reward for researchers is very close to the mark of 100 thousand dollars."
