When a hacker finds vulnerabilities in an app, they have to report to the app developer. Once the issue is resolved, the hacker can claim the monetary reward from Google. Also, the hacker who reports a bug first will be rewarded, and duplicates are not encouraged. However, the program is limited to remote-code-execution vulnerabilities, i.e., if any execution of code occurs without the user’s permission such as phishing attacks or monetary transactions through UI manipulation.
Google has only invited developers who have expressed interest in fixing bugs, so, the apps under the program are few. All apps that are developed by Google are under this program.
Moreover, eight popular apps that are included in the bug bounty program are Line, Dropbox, Alibaba, Duolingo, Headspace, Mail.Ru, Snapchat, and Tinder. More apps might be added to the list upon developer’s consent. Interested developers have to contact their Google Play partner manager to opt in.
Earlier, Google had successfully hosted bug bounty program for their Pixel devices, websites, Chrome browser, and Chrome OS. Do you think these programs will address Android’s security issues? Share your views in the comments.