From now on, Google will also pay security researchers rewards if they find leaks in third-party apps. They must be in the Play Store and have more than one hundred million installations there.
Google is thereby expanding its Google Play Security Reward Program or GPSRP. That program distributes bug bounties to developers and security researchers who find leaks in apps in the Play Store. Until then, this was only possible with apps that were originally registered with the program by the original makers themselves. Google broadens the scope of the program so that every app with more than one hundred million downloads automatically qualifies for a reward from Google itself. This also applies if the makers of the app themselves do not have a bug bounty program. If they do, the explorers have the opportunity to receive a double reward.
Google says developers will be notified via Play Console if a leak is discovered. That is part of the App Security Improvement program, the company writes in a blog post. According to Google, the program has since fixed bugs in more than one million apps from more than 300,000 developers. Moreover, more than $ 265,000 has been paid out through the Security Reward Program, of which $ 75,500 in July and August this year.
In addition to expanding the GPSRP, Google is also starting another, new program. The Developer Data Protection Reward Program or DDPRP is a collaboration with HackerOne. The program is intended to detect data abuse in apps. This also applies to OAuth projects, Google’s APIs, and Chrome extensions. This is software that collects, uses or resells user data without the user’s knowledge. Researchers who discover such data abuse in Google services can be rewarded for this. Google says that no definitive reward list or maximum reward has yet been set, but at the same time it says that researchers can receive 50,000 dollars or 45,000 euros for a report.