Mobile security is paramount and Google is stepping up to the plate to ensure your apps are safe. Today, Google announced that it was launching a new bug bounty program named the “Google Play Security Reward Program”. It aims to encourage developers and white hat hackers to poke and prod apps from the Play Store for vulnerabilities.
Right now, the apps in the new program will be via invite only. The list is small, but distinguished. It includes Alibaba, Dropbox, Duolingo, Headspace, LINE, Snapchat, and Tinder. In addition to those headlining apps, Google will also include all of its Google-developed Android apps currently available in the Play Store. Once the program rolls out further, Google says the program will be opt-in instead of using an invite system.
According to the terms of the program, researchers will work directly with app developers once a bug is found. Google says it doesn’t even want to know about the bug until a fix has been rolled out. The researcher can then contact Google to claim their $1,000 bounty, which will be paid out after Google confirms with the app developer. In addition to the bounty from Google, researchers will still be eligible to receive bonuses from the app developer themselves if they also run a bug bounty program.
Google is setting up this program to reward researchers, but it doesn’t want to get too heavily involved. In addition to being kept in the dark about the bugs, it’s tapping HackerOne to handle most of the organization for the program. HackerOne will be in charge of submitting reports and inviting white-hat hackers into the program as it expands. You might remember that Qualcomm recently teamed up with HackerOne on a similar project. If you’re interested in the program, you can read more about the program’s rules and criteria at the link below.
The Google Play Security Reward Program is part of Google’s wider effort to make its platforms as safe as possible. It currently runs rewards-based programs for Google-developed websites and apps for Chrome and Chrome OS and for the latest version of Android running on Pixel devices. Those programs are responsible for the fixing of hundreds of vulnerabilities and paying out millions of dollars in bounties.