Details are light at the moment, but a bit of news out of Google’s Playtime developer event this morning: the company is launching a Google Play bug bounty program that’ll encourage researchers to poke around and look for vulnerabilities in some of Android’s most popular apps (both those built by Google and those built by third-party devs.)
Called the “Google Play Security Reward” program, the new program aims to get researchers to work directly with Android app developers to find vulnerabilities. If you help a developer squash a bug, Google will pay you $1,000 (on top of whatever bounty the third-party dev themselves might pay).
Here’s what we know so far:
- The program only includes a limited selection of Android apps at the moment. Not all Android apps. The list currently includes Alibaba, Dropbox, Duolingo, Headspace, LINE, Snapchat and Tinder along with “all Google-developed Android apps available on Google Play”.
- Apps must be invited into the program for now; when it eventually opens up to more apps, a rep from Google tells me it’ll be opt-in.
- Researchers will work directly with the app developer to confirm/squash vulnerabilities; once a bug is fixed, the researcher tells Google, who confirms the bug and issues the $1,000 reward. Google doesn’t want to know about the bug before it’s fixed. “This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer,” it notes.
- As with most bug bounty programs, Google is looking for a specific type of nasty issue here. Not “this icon looks funny” kind of stuff. The scope currently includes forcing an app to download/execute arbitrary code, manipulating an app’s UI to force a transaction (they mention tricking a bank app to send money without a user’s consent as an example) or forcing an app to open a webview that might be used for phishing.
Google is tapping HackerOne to handle much of the back end for this program, from submitting reports to inviting white-hat hackers into new parts of the program as they roll out. You can find all the details published so far right here.
Google’s wider bug bounty program, which includes Chrome and Android itself, had paid out around $9 million as of January 2017.