Google will increase the maximum bug bounties for its own apps by a factor of ten. Hackers who report bugs in apps like Gmail could receive not just $30,000, but up to $300,000 in the future. In very rare cases, a 50 percent bonus may be added.
Google writes in a blog post that it is increasing the maximum rewards of the Mobile Vulnerability Rewards Program. The company started that program a year ago. The Mobile VRP is a bug bounty program for Google's own Android apps, including Gmail, Google Play Services, and the Search app. Since May last year, the company has processed 40 bug bounties through that program, paying out more than $100,000 in rewards.
After feedback from hackers, Google is now making some changes to the program. The most striking of these concerns the level of rewards. Reporting a remote arbitrary code execution in first-party apps always yielded a maximum of $30,000. That will be increased to $300,000 in the future. The maximum reward for reporting data theft vulnerabilities will also increase by a factor of ten, from $7,500 to $75,000 for vulnerabilities that do not require user interaction.
Google is also adding a 'modifier' to the program that allows hackers can receive a higher reward if their bug reports are of exceptional quality. If the quality is high, they get the normal amount, but if hackers can describe a possible patch or root cause, they can get one and a half times the maximum bug bounty reward. This means that for the highest bug, a remote code execution without user interaction, they can earn a maximum of $450,000. On the other hand, a report can also be of low quality, for which Google only pays out half of the maximum reward.