Standards & Bug Bounties
Security standards governing mobile apps and vulnerability disclosure programs relevant to Android.
Bug Bounty Programs
| Program |
Scope |
Max Payout |
Notes |
| Google VRP |
Android OS, Pixel devices, Google apps |
$1,000,000 (full exploit chain) |
Largest mobile bounty. Covers kernel, framework, and app-level bugs. Paid $11.8M total in 2024. |
| Google Mobile VRP |
First-party Android apps |
$30,000 (RCE) |
Separate program for Google-developed Android apps (Maps, YouTube, etc.) |
| Samsung Mobile Security Rewards |
Samsung devices, Knox, Galaxy Store |
$1,000,000 |
Covers One UI, Knox, Samsung-specific drivers and firmware |
| Qualcomm Bug Bounty |
Snapdragon chipsets, modem, TEE |
Varies |
Baseband and TrustZone vulnerabilities. Critical for Android exploit chains. |
| MediaTek PSIRT |
MediaTek chipsets |
Varies |
Second-largest Android chipset vendor |
Standards Bodies & Regulators
| Organization |
Standard/Regulation |
Relevance |
| NIST |
SP 800-163 (Vetting Mobile Apps), SP 800-124 (Managing Mobile Devices) |
US government mobile security guidelines |
| ENISA |
Smartphone Secure Development Guidelines |
EU mobile security guidance for developers and enterprises |
| EMVCo |
SBMP (Software-Based Mobile Payments) |
Certification for mobile payment app security. DexProtector and Verimatrix are EMVCo-certified. |
| PCI SSC |
PCI MPoC (Mobile Payments on COTS) |
Standard for accepting payments on commercial off-the-shelf mobile devices |
| OWASP |
MASVS / MASTG |
Mobile Application Security Verification Standard and Testing Guide. Industry-standard testing framework. |
| GSMA |
FS.05, FS.31 |
Mobile device security guidelines, SIM security standards |
| EU Parliament |
Cyber Resilience Act (CRA) |
Mandatory cybersecurity requirements for products with digital elements, including mobile apps. Effective 2027. |