Google has announced a bug bounty program covering other developers’ popular Android apps available for download in its Play Store.
On 19 October, the American multinational technology company launched its Google Play Security Rewards Program. Here’s a high-level description of the new framework:
“Google Play is working with the independent bug bounty platform, HackerOne, and the developers of popular Android apps to implement the Google Play Security Reward Program. Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model. The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.”
At the time of launch, Google considers 13 apps developed by Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder in-scope for its new vulnerability reward framework. Security researchers can qualify for a bounty by identifying a security flaw, reporting it directly to the app developer, and working with them to fix the issue. Once the app has received a patch for the bug, researchers can request a reward from the Google Play program.
Not surprisingly, there are a few rules by which all participating security researchers must abide. First, they must always report a flaw first to the affected app developer. Second, they cannot submit a request to the Google Play Security Reward Program if the security issue in question received a fix more than 90 days ago. Third, only remote code execution (RCE) vulnerabilities, a type of flaw which attackers can exploit to commit a fraudulent payment card transaction or conduct a phishing attack, are currently eligible for a reward through Google’s new framework.
If they follow the above criteria along with a few other rules, security researchers can hope to receive a $1000 reward.
Want more information on bug bounty programs in general? Read my interview with Mårten Mickos, HackerOne’s CEO.