And it’s with that in mind that Google announced this week that it was expanding its bug bounty program, that rewards security researchers who responsibly disclose vulnerabilities so users can be patched as quickly as possible.
Google, which admittedly has rather deep pockets when it comes to funding such things, has said it is changing its Google Play Security Reward Program (GPSRP) so that it not only covers its own products, but additionally includes all apps in the official Google Play store which have had 100 million or more installs.
In other words, if you were to find a serious security hole in a popular Android app you could contact Google rather than the app’s developer, and Google will be happy to not only alert the developer about the flaws, but also pay you handsomely for your work.
Although Google is encouraging app developers to start their own bug bounty program through which researchers can be rewarded for disclosing vulnerabilities responsibly, it says that all popular Android apps with 100 million or more installs are now automatically eligible under GPSRP.
“This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” wrote Adam Bacchus, Sebastian Porst, and Patrick Mutchler of Google’s Android Security & Privacy group. “If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google.”
Google says that it has helped over 300,000 app developers fix flaws in approximately one million Android apps on Google Play already, paying out $265,000 in the past. A rise in the rewards offered has seen Google pay out $75,500 in just the past few months.
Let’s not turn a blind eye to the reality here. Google has not done a great job in the past of policing the apps in its official Google Play store. On countless occasions malicious apps have been found that put Android users and their data at risk. And it’s even more common for poorly-coded mobile apps to contain vulnerabilities – even if they were not created with malicious intent.
As such, it’s hard to complain about Google expanding its bug bounty program to encourage more security researchers to look for security holes in the most widely used apps.
In addition, Google has announced a new initiative: the Developer Data Protection Reward Program (DDPRP).
DDPRP is another bounty program, but this time built specifically with the intention of identifying and mitigating “data abuse issues in Android apps, OAuth projects, and Chrome extensions.”
“In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.
According to Google, a single DDPRP report could net a researcher a bounty as large as $50,000.