14 DAY TRIAL // Google has launched another bug bounty program, yet this time it’s not aimed only at its own apps, but also at those developed by third-party companies and published on the Play Store.
Google’s new effort is called Play Security Reward Program and calls for hackers to find remote code execution (RCE) flaws in specific popular Android applications running on Android 4.4 and newer.
For the time being, only eight different developers have been approved for the program, namely Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat, and Tinder, but Google says it’s working with more app makers to expand the program.
While Google’s applications are also part of the new bug bounty program (though Google says you can submit them via the Google Vulnerability Reward Program), the company explains that submissions must include proof of concepts and demonstrate how an attacker can gain full control of a device or exploit flaws with UI manipulation to commit a transaction. “There is no requirement that OS sandbox needs to be bypassed.”
Making Android more secure
The top payment as part of the program is $1,000, and according to the guidelines, once the reports are submitted, researchers need to work together with the app developers to have the vulnerability resolved. If the flaw is successfully patched, the Android Security team issues a reward to the researcher.
Not only the apps and developers that are part of the program will benefit from this effort, Google says, but the entire Android ecosystem.
“The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure,” Google says. “Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.”
The company says that it’s also considering expanding the program to cover more vulnerabilities, and recommends developers who aren’t part of the effort just yet to get in touch with the Google Play partner manage to find out how they can get their apps listed on the bug bounty page.