Bug Bounty Android

Google is well-known for its rewards for Security Researchers. A Simple XSS in any Google subdomain will reward you $1337. Google has its major focus on its Android operating system and its applications.

Android was acquired by Google in 2005 for $50 Million. Android has been generating massive revenue for Google from its Google Play services and other Android services.

All over the world Security, researchers have reported several critical bugs to various organizations, including Google, Facebook, Apple, Microsoft, etc.; these reports have prevented tens of millions of dollars from a data breach for these organizations.

Google’s Bug Bounty Program for Android has been set with a maximum reward of $15,000. This will attract a lot of security researchers to crack open the Android safe.

Qualifying Vulnerabilities

A list of vulnerabilities is being focussed by Google, which are

  • Arbitrary Code Execution (ACE)
  • Theft of Sensitive Data
  • Path Traversal
  • Intent redirections
  • Orphaned permissions
  • Unsafe usage of pending intents
  • Unauthorized access to sensitive data that are insecurely stored
  • Manipulation of insecure design to read sensitive data
  • Full control over the application
  • Malicious overwriting of .so file
  • Call exec and run arbitrary java native code etc.,

Vulnerabilities that are considered unqualified are,

  • Hardcoded API keys
  • Variants of Strandhogg
  • Attacks with a rooted device
  • Non-sensitive media access in external storage

Application Tiers

According to the Bug Bounty Program, applications are separated into tiers which will have different rewards in different tiers.

Tier 1

NamePackage name
Google Play Servicescom.google.android.gms
AGSAcom.google.android.googlequicksearchbox
Google Chromecom.android.chrome
Google Cloudcom.google.android.apps.cloudconsole
Gmailcom.google.android.gm
Chrome Remote Desktopcom.google.chromeremotedesktop

Rewards for these Tier 1 application vulnerabilities start from $750 and go up to a maximum of $30,000.

Tier 2

Tier 2 belongs to applications that handle user data, those that interact with the Tier 1 applications in some way, or those that connect with Google services. 

Rewards for these Tier 2 application vulnerabilities start from $625 and go up to a maximum of $25,000.

Tier 3

Tier 3 applications belong to those that do not handle user data or interact with Google’s services.

Rewards for these Tier 3 application vulnerabilities start from $500 and go up to a maximum of $20,000.

For more information about the Google Bug Bounty Program, Visit Google’s Bug Hunter website.

Common Security Challenges Facing CISOs? – Download Free CISO’s Guide

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.