Google Offers $1,000 Bug Bounties for Android Store Apps

To improve the security of Android apps offered in the Google Play store, the search giant has launched a bug bounty program to award $1,000 to hackers who discover bugs in select, popular apps and work with developers to fix them.

Called the Google Play Security Reward Program, the new initiative joins similar efforts Google has instituted in the past, such as programs for Google-developed apps and Chrome apps. Qualified vulnerabilities that are found via those existing bounty programs are also eligible for the new rewards.

The first iteration of the new program -- executed in a partnership with the HackerOne security company -- comes with several scope limitations and other conditions.

For example, the program's initial scope is limited to remote-code-execution (RCE) vulnerabilities and associated proof of concepts (POCs) that work on devices running version 4.4 of the Android OS or higher. Google said this means the vulnerability must allow an attacker to run their code on a user's device without the knowledge or permission of the user.

It also works with a selection of popular apps whose developers have opted in to the program, designed to increase security in the Google Play ecosystem to the benefit of developers and users alike. The initial list of apps includes Alibaba, Dropbox, Snapchat, Tinder and several more. A complete list and other details of the program can be found on the HackerOne site.

In a blog post last week, Google provided this high-level overview of how the program works:

  • Researcher identifies vulnerability within an in-scope app and reports it directly to the app's developer via their current vulnerability disclosure or bug bounty process.
  • App developer works with the researcher to resolve the vulnerability.
  • Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security Rewards Program hosted on HackerOne.
  • Android Security team issues a reward to the researcher to thank them for improving the security of the Google Play ecosystem.

Along with a full list of apps in scope for the new program, the HackerOne site also lists the following rules:

  • All vulnerabilities must always be reported directly to the app developer first. This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer.
  • Only developers who have expressed a commitment to fixing bugs which are disclosed to them have been invited to the program. It is the responsibility of each developer to respond and fix bugs in a timely manner.
  • Follow HackerOne's disclosure guidelines.
  • Please provide detailed reports with the requested information in the submit report form. Reports not containing the required information and that do not meet the criteria for this program will not be eligible for a reward.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue reported to same developer will be awarded one reward
  • We aim to be fair; all reward amounts are at our discretion.

HackerOne said additional apps may come into scope in the future.

About the Author

David Ramel is an editor and writer for Converge360.