You can earn $1000 in Bounty for finding software bugs in Android Apps
Google has launched (and is expanding) a new program with the aim of removing vulnerabilities from third-party apps on its Google Play Store. Titled the Google Play Security Reward Program, it will reward researchers $1,000 for discovering problems in Android apps and reporting them to Google.
“Through the programme, we will further improve app security which will benefit developers, Android users and the entire Google Play ecosystem,” said the search giant.
Google has maintained such bug bounty programs for a number of their platforms such as Chrome and Chrome OS among others. This program’s scope for now is restricted to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.
“This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission,” Google said.
How it Works
Within the bug bounty program, a researcher needs to find a vulnerability among the apps covered. Once found, they will have to report it to the app developer via their current reporting process. The app developer will then work with the researcher to resolve the vulnerabilities found within 90 days. The researcher can then claim the bounty from Google which will evaluate if it meets the program’s criteria before handing over the $1,000 reward.
“The programme will evaluate each submission based on the vulnerability criteria. A reward of $1,000 will be rewarded for issues that meet this criteria,” Google said. “We are unable to issue rewards to individuals who are on US sanctions lists or who are in countries (Crimea, Cuba, Iran, North Korea, Sudan and Syria),” it added.
For this program, Google is working alongside HackerOne – a vulnerability coordination and bug bounty platform . Developers can participate in the program only if they’re willing to respond to and help fix the vulnerabilities found in a timely manner. They will also need to follow HackerOne’s disclosure guidelines and provide reports with the required details. The apps currently in the scope of the program include Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat, and Tinder with more to be added as time goes on.
The Google Play Security Reward Programme recognises the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure,” said the firm.