Google launches bug bounty program for its Android functions


Google

Google has launched the Cell Vulnerability Rewards Program (Cell VRP), a brand new bug bounty program that can pay safety researchers for flaws discovered within the firm’s Android functions.

“We’re excited to announce the brand new Cell VRP! We’re in search of bughunters to assist us discover and repair vulnerabilities in our cellular functions,” Google VRP tweeted.

As the corporate stated, the primary objective behind the Cell VRP is to hurry up the method of discovering and fixing weaknesses in first-party Android apps, developed or maintained by Google.

Purposes in scope for the Cell VRP embody these developed by Google LLC, Developed with Google, Analysis at Google, Purple Scorching Labs, Google Samples, Fitbit LLC, Nest Labs Inc, Waymo LLC, and Waze.

The record of in-scope apps additionally incorporates what Google describes as “Tier 1” Android functions, which incorporates the next apps (and their bundle names):

  • Google Play Companies (com.google.android.gms)
  • AGSA( com.google.android.googlequicksearchbox)
  • Google Chrome (com.android.chrome)
  • Google Cloud (com.google.android.apps.cloudconsole)
  • Gmail (com.google.android.gm)
  • Chrome Distant Desktop (com.google.chromeremotedesktop)

Qualifying vulnerabilities embody these permitting arbitrary code execution (ACE) and theft of delicate knowledge, and weaknesses that may very well be chained with different flaws to result in an identical affect.

These embody orphaned permissions, path traversal or zip path traversal flaws resulting in arbitrary file write, intent redirections that may be exploited to launch non-exported utility parts, and safety bugs brought on by unsafe utilization of pending intents.

Google says that it’s going to reward a most of $30,000 for distant code execution with out consumer interplay and as much as $7,500 for bugs permitting the theft of delicate knowledge remotely.

Class 1) Distant/No Consumer Interplay 2) Consumer should comply with a hyperlink that exploits the weak app 3) Consumer should set up malicious app or sufferer app is configured in a non-default manner 4) Attacker have to be on the identical community (e.g. MiTM)
Arbitrary Code Execution $30,000 $15,000 $4,500 $2,250
Theft of Delicate Information $7,500 $4,500 $2,250 $750
Different Vulnerabilities $7,500 $4,500 $2,250 $750

“The Cell VRP acknowledges the contributions and onerous work of researchers who assist Google enhance the safety posture of our first-party Android functions,” Google stated.

“The objective of this system is to mitigate vulnerabilities in first-party Android functions, and thus hold customers and their knowledge protected.”

In August 2022, the corporate introduced it will pay safety researchers to seek out bugs within the newest launched variations of Google open-source software program (Google OSS), together with its most delicate tasks like Bazel, Angular, Golang, Protocol buffers, and Fuchsia.

Since launching its first VRP over a decade in the past, in 2010, Google has rewarded greater than $50 million to hundreds of safety researchers worldwide for reporting over 15,000 vulnerabilities.

In 2022 it awarded $12 million, together with a record-breaking $605,000 payout for an Android exploit chain of 5 separate safety bugs reported by gzobqq, the very best in Android VRP historical past.

One 12 months earlier than, the identical researcher submitted one other crucial exploit chain in Android, incomes one other $157,000—the earlier bug bounty report in Android VRP historical past on the time.



Leave a Reply

Your email address will not be published. Required fields are marked *