Google's bug bounty program now covers any big Android app

Bug bounty programs have become a popular way for developers to track down security issues in software, but big pay-outs are not something that every company can afford.

In a bid to keep its Android platform secure, Google has announced that its own bug bounty program is being expanded to include all big Android apps, regardless of who develops them. The company will reward security researchers who find bugs in any app in the Google Play Store with 100 million or more installs.

See also:

• Google security researcher warns that hackers are using malicious websites to exploit iOS flaws and monitor iPhone users
• Apple widens the scope of its bug bounty program, and increases top payout to $1 million
• Beta bug hunters can bag up to $30k in the Microsoft Edge Insider Bounty program

In making the change, Google acknowledges that not all app developers have the finances to support their own bug bounty programs. The belief is that in helping developers to discover bugs in their software, Google will be able to automate the process of checking other apps for the same issues.

Announcing the expansion of the Google Play Security Reward Program, the company says:

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don't have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

At the same time, Google has also teamed up with HackerOne to launch the Developer Data Protection Reward Program. This program is designed to highlight instances of data abuse in Android apps, Chrome extensions and OAuth projects. Google explains:

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

Find out more over on the Developer Data Protection Reward Program website.