Google has officially launched a bug bounty program for Android apps on Google Play Store, a measure that aims to improve the security of Android apps. The initiative, called Google Play Security Reward, will involve the security community in finding and reporting vulnerabilities in some of the most popular Android apps available in the official store.
The Google Play Security Reward offers security researchers to work directly with Android app developers to find and fix security issues in their applications, the experts will receive $1000 in rewards.
“The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure. ” read a blog post published by Google.
“All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program. Interested developers who aren’t currently in the program should discuss it with their Google Play partner manager. Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosyste“
The Google Play Security Reward Program is operated in collaboration with the bug bounty platform HackerOne.
Everyone that wants to participate the bug bounty program can submit his/her findings directly to the app development team. Once the vulnerability has been fixed, the expert only needs to submit his/her bug report through the HackerOne platform.
According to the Google Vulnerability Criteria, the experts will receive their $1,000 rewards. Currently, the program is focused on finding RCE (remote-code-execution) vulnerabilities and related exploit codes that work on Android 4.4 devices and higher. An attacker must to able to run arbitrary code on a user’s device without user knowledge or interaction.
“All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer.” reads the announcement published on the HackerOne.
“For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof-of-concepts) that work on Android 4.4 devices and higher.”
The Google Play Security Reward program does not include reporting fake or bogus apps available on Google play store, this means that it will not allow limiting the number of malicious applications in the official store.
At the time, only a few Android apps have been added to Google Play Security Reward Program, including Alibaba, Snapchat, Duolingo, Line, Dropbox, Headspace, Mail.ru and Tinder.