Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today increased the scope of its Google Play Security Reward Program (GPSRP). Security researchers will now be rewarded for finding bugs across all apps in Google Play with 100 million or more installs. At the same time, the company launched the Developer Data Protection Reward Program (DDPRP) in collaboration with HackerOne. That program is for data abuses in Android apps, OAuth projects, and Chrome extensions.
Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu. Today’s updates come after Google increased rewards for hacking Chrome, Chrome OS, and Google Play last month.
Google Play Security Reward Program
GPSRP has paid out over $265,000 in bounties so far. Adding more popular apps makes them eligible for rewards even if their developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, the security researcher discloses identified vulnerabilities to Google, which in turn passes them on to the affected app developer. As a result, security researchers can help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards from them and from Google.
This isn’t a one-way street. Google also uses this vulnerability data to create automated checks that scan all Google Play apps for similar vulnerabilities. Affected app developers are notified via the Play Console. The App Security Improvement (ASI) program provides them with information on the vulnerability and how to fix it. In February, Google revealed that ASI has helped over 300,000 developers fix over 1,000,000 apps on Google Play.
Developer Data Protection Reward Program
DDPRP is a new bug bounty program for identifying and mitigating data abuse issues in Android apps, OAuth projects, and Chrome extensions. The goal is to recognize security researchers who report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.
If you can provide verifiably and unambiguous evidence of data abuse, you could get paid. In particular, Google is interested in situations “where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.” Google didn’t provide a maximum reward amount, but said that “depending on impact, a single report could net as large as a $50,000 bounty.”
Android apps and Chrome extensions with data abuse will be removed from Google Play and the Chrome Web Store. If a developer is found to be abusing access to Gmail restricted scopes, their API access will be removed.