Google will pay you for finding bugs in its first-party Android apps

Android Police

By Arol Wright

Published May 24, 2023

Hunt those vulnerabilities, get that bag

An argument could be made that Google's own set of apps has become just as important as Android itself is. Sure, you could use Android without Google apps by checking out a custom ROM without them, but Google apps are necessary for essential functionality, and are the core of a large number of features in our smartphones. As such, just like a vulnerability on Android could ruin your day, so can a vulnerability in one of the apps belonging to Google's core package of apps and services. Now, Google is introducing a bounty program for those who want to take a stab at finding issues and reporting them to the company — and the amounts are pretty juicy.

Google's newly-unveiled Vulnerability Reward Program, or VRP, for its Android apps will make sure you're well rewarded if you happen to come across a nasty issue Google doesn't want malicious actors to find out about. The company already had such a program for Android itself and its open-source apps, but now, it's rolling one out for the apps the company actually cares about the most.

Depending on the issue you report, how severe it is, and what app it affects, you might be in for a monetary reward, with the amount changing depending on what tier the app belongs to and how severe the issue is.

There are three possible tiers, with the most important being tier 1, a category reserved exclusively for Google Play Services, Google Cloud, Google Chrome, Gmail, Chrome Remote Desktop and, of course, the Google app itself. Then, tier 2 apps are all first-party apps interacting with tier 1 apps or otherwise interacting with user data or Google services — think of apps such as Google Drive or Google Photos. And then, tier 3 apps are those that don't interact with Google services or handle user data whatsoever.

As for the prize amount, if you manage to strike gold and find a vulnerability allowing for remote arbitrary code execution on a tier 1 app, Google will eagerly give you $30,000. The reward goes down to $25,000 if you find an equally severe issue on a tier 2 app, and $20,000 for a tier 3 app. From there, prizes go lower as the severity goes down, with a vulnerability letting a hacker attack within the same network on a tier 3 app netting you just $500.

If you manage to come across a fatal vulnerability, make sure to let Google know and the company will make it worth your while.