Back in 2017, Google teamed up with bug bounty platform HackerOne and rolled out a reward program called Google Play Security Rewards (GPSRP). However, the program never got the right attention, becasue it only catered to a handful of Android apps.
Now, Google is expanding the bug bounty program and will include all the Android apps that have 100 million or more downloads. Interestingly, the announcement comes right after the CamScanner report: a PDF-maker Android app with 100M+ downloads that was found injecting malware on smartphones.
Under the GPSRP, security researchers can report the vulnerabilities here, and Google will relay them to the concerned app creators. If the developers fail to respond to the bugs, Google will remove the affected Android apps from the Play Store. Google says that all security researchers are eligible for the rewards, regardless of their association with other bounty programs.
As for the rewards, security researchers can claim a maximum of $20,000 for finding Remote Code Execution vulnerabilities. Apart from that, $3000 for finding a vulnerability that causes theft of private data. And the same amount for finding a vulnerability wherein an app tries to access another app’s components without having the necessary permission.
According to a blog post, vulnerability data from the GPSRP program can be used to automatically trace the same vulnerability in other apps through another program called App Security Improvement (ASI). Google says that in 2018, ASI “has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play.”
On the other hand, Google has also rolled out DDPRP (Developer Data Protection Reward Program), again in association with HackerOne. The program will reward anyone who will report data abuse evidence against Android apps and Google Chrome extensions.
Consequently, apps and Chrome extensions found violating Google Play, Google API, and Chrome extensions policies will be removed from the platform.