Google will be rewarding hackers for finding loopholes in Android apps with 100M+ downloads

There are millions of apps working in disguise and using various strategies to operate under the radar. Apps with vulnerabilities can put a huge impact on a user’s personal information. So Google and HackerOne started bug bounty programs to motivate hackers to find loopholes in their apps and get thousands of dollars in return. These bug programs received a lot of positive feedback with few young hackers turning into millionaires too.

New policies launched by Google for its bug bounty programs

Recently, Android Security & Privacy team announced that Google is expanding its criteria for Google Play Security Reward Program (GPSRP) which now also includes Android apps with more than 100 million downloads.

This update in its policy is a step by Google towards making its platform free from malicious apps that might be a threat to a user’s personal data. The security researchers who will report any loopholes in these apps will be rewarded from not only Google but also from the app’s developers if they also run bug bounty program on the platform named HackerOne.

This new step by Google opens possibilities for security researchers to help hundreds of organizations detect and fix loopholes or any vulnerability in their apps. The vulnerability reported by security researchers will be collected by Google and submitted to Google’s own malware protection tools to create checks and detect all similar apps available with related vulnerabilities. The increase in the scope of GPSRP makes these apps eligible for rewards even if the app developers don’t run its own bug bounty programs.

How will Google fix the security flaws

Whenever a security researcher will detect any vulnerability in an app, notifications will be sent to developers of the apps including the detailed insight on security flaw in their apps and guidelines on how to fix it. Google Play app developers use App Security Improvement (ASI) program as a service to improve its apps’ security and the alerts to app developers regarding the vulnerabilities will be sent via Play Console (a part of ASI program).


The ASI program has helped more than 300,000 developers to fix more than 1,000,000 apps on Google Play. This program helped more than 30,000 developers to fix 75,000 apps in 2018 alone. The apps found with flaws will not be distributed to users until the issue gets fixed.

Google rewarded security researchers with more than $265,000 in bounties through its GPSRP, with the increase in scope and reward; more than $75,500 were awarded in the bug bounties between the months of July and August.

Another reward program launched by Google

Google recently collaborated with HackerOne platform and launched the Developer Data Protection Reward Program (DDPRP). This program is aimed at detecting the data abuse in Android apps, Chrome extensions and reward researchers who help identifying it.

Hackers who report regarding apps that violate the program policies of Google Play, Google Chrome Web Store Extensions or Google API will be rewarded by the DDPRP.

The core purpose behind this new program is to reward anyone who can display an authentic amount of evidence on the data abuse as similar to Google vulnerability reward programs. DDPRP is meant to detect situations where user data is being used and sold without the user’s acknowledgment. If the reports by hackers regarding the data abuse are confirmed, the apps and extensions with allegation for violating Google’s policies will be removed from Google Play or Google Chrome Web Store.

Even if the Google service APIs are accused by developers for accessing user’s information and violating its policies, the access for API will also be revoked.

Although there is no official chart regarding the maximum or a minimum of amount of reward Google offers to security researchers but we think the rewards depend on the impact of the reported issue on users and the platforms reputation as well.



Read next: Facebook will now reward researchers for identifying data abuse on Instagram

No comments:

Post a Comment