Google will pay for discovering vulnerabilities in third-party apps

Google will also reward security researchers if they find vulnerabilities in third-party apps. They must be in the Play Store and have more than a hundred million installations there.

Google is thereby further expanding its Google Play Security Reward Program or GPSRP. That program pays bug bounties to developers and security researchers who find leaks in apps in the Play Store. Until now, this was only possible with apps that were registered with the program by the original makers themselves. Google is broadening the scope of the program so that any app with more than 100 million downloads is automatically eligible for a reward from Google itself. That’s true even if the app’s makers don’t have a bug bounty program themselves. If they do, the discoverers stand a chance of receiving a double reward.

Google says developers will be notified via the Play Console if a leak is discovered. That is part of the App Security Improvement program, the company writes in a blog post. According to Google, the program has since fixed bugs in more than a million apps from more than 300,000 developers. More than $265,000 has already been paid out through the Security Reward Program, of which $75,500 in July and August this year.

In addition to expanding the GPSRP, Google is also starting another, new program. The Developer Data Protection Reward Program or DDPRP is a partnership with HackerOne. The program is intended to detect data misuse in apps. This also applies to OAuth projects, Google’s APIs, and Chrome extensions. It concerns software that incorrectly collects, uses or resells user data without the user’s knowledge. Researchers who discover such data misuse in Google services can receive a reward. Google says that a definitive reward list or maximum reward has not yet been established, but at the same time says that researchers can receive $50,000 or $45,000 for a report.