Google is well-known for its rewards for Security Researchers. A Simple XSS in any Google subdomain will reward you $1337. Google has its major focus on its Android operating system and its applications.
Android was acquired by Google in 2005 for $50 Million. Android has been generating massive revenue for Google from its Google Play services and other Android services.
All over the world Security, researchers have reported several critical bugs to various organizations, including Google, Facebook, Apple, Microsoft, etc.; these reports have prevented tens of millions of dollars from a data breach for these organizations.
Google’s Bug Bounty Program for Android has been set with a maximum reward of $15,000. This will attract a lot of security researchers to crack open the Android safe.
Unauthorized access to sensitive data that are insecurely stored
Manipulation of insecure design to read sensitive data
Full control over the application
Malicious overwriting of .so file
Call exec and run arbitrary java native code etc.,
Vulnerabilities that are considered unqualified are,
Hardcoded API keys
Variants of Strandhogg
Attacks with a rooted device
Non-sensitive media access in external storage
Application Tiers
According to the Bug Bounty Program, applications are separated into tiers which will have different rewards in different tiers.
Tier 1
Name
Package name
Google Play Services
com.google.android.gms
AGSA
com.google.android.googlequicksearchbox
Google Chrome
com.android.chrome
Google Cloud
com.google.android.apps.cloudconsole
Gmail
com.google.android.gm
Chrome Remote Desktop
com.google.chromeremotedesktop
Rewards for these Tier 1 application vulnerabilities start from $750 and go up to a maximum of $30,000.
Tier 2
Tier 2 belongs to applications that handle user data, those that interact with the Tier 1 applications in some way, or those that connect with Google services.
Rewards for these Tier 2 application vulnerabilities start from $625 and go up to a maximum of $25,000.
Tier 3
Tier 3 applications belong to those that do not handle user data or interact with Google’s services.
Rewards for these Tier 3 application vulnerabilities start from $500 and go up to a maximum of $20,000.