Apps with more than 100 million installs part of the program

Aug 30, 2019 11:10 GMT  ·  By

Google has decided to expand the Google Play Security Reward Program, or the GPSRP, to include third-party Android apps published in the Google Play Store and having more than 100 million installs.

In other words, security researchers who find vulnerabilities in the most popular Android apps and report them through the program are eligible for bounties, even if the developer of these apps doesn’t have an active reward program.

However, in case the devs do have a bounty program, the researchers can get two different payments, one of which comes from Google.

Google will then forward the vulnerability reports to the developers in order to patch the flaws, and the search giant says it encourages and app creator to launch their own vulnerability disclosure or bug bounty program.

“Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it,” Google says.

New program

Additionally, the search giant is launching the Developer Data Protection Reward Program, or DDPRP, in collaboration with HackerOne. This program is specifically aimed at finding data abuse issues in Android apps, OAuth, and Chrome extensions.

“The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent,” Google says.

The biggest bug bounty as part of this program can reach as much as $50,000, depending on the severity of the vulnerability and the quality of the submitted report.