Google is making it easier for security researchers to get paid for finding bugs on the Play Store by increasing the scope of its Google Play Security Reward Program (GPSRP) to all apps on its store with 100 million or more installs.
The search giant has also launched a new program in collaboration with HackerOne called the Developer Data Protection Reward Program (DDPRP) aimed at finding data abuses in Android apps, OAuth projects and Chrome extensions.
Since the launch of its bug bounty program in 2010, Google has already paid security researchers over $15m and GPSRP has already paid out over $256k in bounties so far. By adding popular Android apps to the program, the company is making them eligible for rewards regardless of whether the app's developers have their own vulnerability disclosure or bug bounty program.
- Valve updates bug bounty rules after Steam zero-day controversy
- Microsoft paid out millions in bug bounties last year
- Apple ups bug bounty rewards in security push
In exchange for paying out a bug bounty, Google will use the vulnerability data collected by security researchers to help create automated checks that scan all of the apps in the Play Store for similar vulnerabilities. Developers whose apps contain bugs are notified via the Play Console and the App Security Improvement (ASI) program will provide them with information on the vulnerability and how to fix it. Back in February, Google revealed that ASI has already helped more than 300k developers fix over 1m apps on Google Play.
Developer Data Protection Reward Program
In addition to expanding its current Android bug bounty program, Google also launched DDPRP to identify and mitigate data abuse issues in Android apps, OAuth projects and Chrome extensions. Instead of finding vulnerabilities, this program will reward security researchers that find and report apps which have violated Google Play, Google API or Chrome Web Store Extensions program policies.
Those that can find evidence of data abuse that can be verified could get paid. On the DDPRP page on HackerOne's website, Google highlights apps that access a user's contacts and doesn't treat this data as personal or sensitive data as well as apps that violate its permission policy by using contact data without a user's permission for another service unrelated to the original app.
The company did not provide a maximum reward amount but depending on its impact, a single report could earn a security researcher a $50k bounty.
Android apps and Chrome extensions that abuse user's data will be removed from their respective stores and if developer is also found abusing access to Gmail restricted scopes their API access will be removed.
- Have an Android smartphone? Keep it protected with the best Android antivirus apps of 2019