Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Google Launches Bug Bounty Program for Apps

Google has launched a new bug bounty program dedicated to improving the security of its Android app ecosystem.

The Google Play Security Reward Program is being introduced in collaboration with popular third-party platform HackerOne.

White hat Android hackers are encouraged to first report any vulnerabilities to the developer and work with them to resolve the issue.

Once the bug has been fixed, they can then apply for a reward, but only have 90 days after a patch was issued to do so.

Only developers “who have expressed a commitment to fixing bugs which are disclosed to them” will be invited to the program. So far, the list is pretty short: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat and Tinder.

All Google-developed Android apps on Google Play are also in-scope, but should instead be submitted to the Google Vulnerability Reward Program or the Chrome Reward Program.

The new HackerOne program currently only accepts remote code execution (RCE) vulnerabilities and corresponding proof-of-concepts (POCs) that work on Android 4.4 devices and higher.

“Any vulnerability that requires collusion between apps, or where there is a dependency for another app to be installed is considered to be out of scope, and thus will not qualify for a reward,” noted Google.

Successful participants will be awarded $1000 for their efforts.

The new program will complement Google’s other rewards schemes for security researchers.

The Android Security Rewards program was launched in 2015 as part of the long-standing Google Vulnerability Rewards Program, although it is mainly focused not on apps but improving the security of Nexus devices.

Last year, the maximum reward was raised to $50,000 for a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise.

What’s Hot on Infosecurity Magazine?