Google boosts bug bounties for Play Store apps

Android
(Image credit: Shutterstock)

Security researchers could be in for a major payday after Google revealed an increase in its bug bounty rewards.

The company wants to encourage firms to help findg bugs on the Play Store by increasing the scope of its Google Play Security Reward Program (GPSRP) to all apps on its store with 100 million or more installs.

The search giant has also launched a new program in collaboration with HackerOne called the Developer Data Protection Reward Program (DDPRP) aimed at finding data abuses in Android apps, OAuth projects and Chrome extensions.

Since the launch of its bug bounty program in 2010, Google has already paid security researchers over $15m and GPSRP has already paid out over $256k in bounties so far. By adding popular Android apps to the program, the company is making them eligible for rewards regardless of whether the app's developers have their own vulnerability disclosure or bug bounty program.

In exchange for paying out a bug bounty, Google will use the vulnerability data collected by security researchers to help create automated checks that scan all of the apps in the Play Store for similar vulnerabilities. Developers whose apps contain bugs are notified via the Play Console and the App Security Improvement (ASI) program will provide them with information on the vulnerability and how to fix it. Back in February, Google revealed that ASI has already helped more than 300k developers fix over 1m apps on Google Play.

Developer Data Protection Reward Program

In addition to expanding its current Android bug bounty program, Google also launched DDPRP to identify and mitigate data abuse issues in Android apps, OAuth projects and Chrome extensions. Instead of finding vulnerabilities, this program will reward security researchers that find and report apps which have violated Google Play, Google API or Chrome Web Store Extensions program policies.

Those that can find evidence of data abuse that can be verified could get paid. On the DDPRP page on HackerOne's website, Google highlights apps that access a user's contacts and doesn't treat this data as personal or sensitive data as well as apps that violate its permission policy by using contact data without a user's permission for another service unrelated to the original app.

The company did not provide a maximum reward amount but depending on its impact, a single report could earn a security researcher a $50k bounty.

Android apps and Chrome extensions that abuse user's data will be removed from their respective stores and if developer is also found abusing access to Gmail restricted scopes their API access will be removed.

Via VentureBeat

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
Latest in News
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'