Over the past year we have seen an absolute slew of companies launching new bug bounty programs, and we’re pleased to see that Google is adding another one to the list, the Google Play Security Reward Program. This is not Google’s first bug bounty program, however it is unique in the fact that it is not targeted at their own software.
The Google Play Security Reward Program is part of Google’s ever expanding attempts to continue improving security on Android, with this program in particular focusing on improving the security of high profile apps on the Google Play store. The Google Play Security Reward Program is not meant as a replacement for the participating applications’ own bug bounty programs, but rather is positioned as an additional incentive to find and patch issues on Android. All apps invited into the program must have their own coordinated disclosure program in place, and security researchers are expected to apply for a reward from the Google Play Security Reward Program only after the vulnerability is made public by the participating company. Once the vulnerability is publicized, the discoverer will have 90 days to apply for the additional reward from Google. As the bug bounty is there purely to provide an additional bonus payment over and above what is offered by each participating company, the bug bounty currently only has one payment tier; $1,000 for remote code execution.
As this is being treated as an additional bounty over and above what is already being offered for those applications, the scope is relatively limited. The Google Play Security Reward Program will currently only pay out for remote code execution (RCE) vulnerabilities that are shown to work on Android 4.4 and later without requiring the installation or use of a second app.
The launch partners for this bug bounty are Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat, and Tinder, with more to come in the future if the program proves to be successful. Google will be hosting the Google Play Security Reward Program on the popular bug bounty platform HackerOne, who were also picked by Qualcomm to host their Vulnerability Rewards Program last year.
For more information, you can visit the bug bounty’s page on HackerOne.