| Google offers $1,000 reward for finding bugs in Android apps |
20 Oct 2017
|In a bid to have bug-free apps on Play Store, Google is partnering with bug bounty platform HackerOne to launch "Google Play Security Reward Program".
It encourages security experts/researchers to work with Android developers and find vulnerabilities in popular apps, including those built by Google as well as third-parties.
Google will also pay $1,000 apart from the bounty third-parties might pay.
| Overall health of the ecosystem |
|Google Play Apps and Games' Director of Product Management, Vineet Buch, said software scans do not match a person's ability to discover "a truly creative hack." He added, "We don't just care about our own apps, but rather the overall health of the ecosystem."|
| Apps need to opt-in to the bounty program |
|Currently, only a limited selection of Android apps is included under Google's latest bug bounty program and not all apps.
As of now, Alibaba, Dropbox, Duolingo, Headspace, LINE, Mail.RU, Snapchat, Tinder and all the Google-developed apps on Google Play are on the list.
Developers of apps are invited to join the program, which would eventually open up more Android apps.
| Program only for requesting bonus bounties after resolving vulnerability: Rules |
|Security experts and researchers would directly work with the developers of Android apps to find, confirm, and fix the bugs.
Once the vulnerabilities are resolved, the experts/researchers inform Google, which then confirms the bug and then issues the $1,000 reward.
Also, Google only wants to resolve some "specific type" of major issues and not things like "this icon looks funny."
| The scope of the program |
|As of now, the bug bounty program's scope is "limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts)." Such vulnerabilities include attackers gaining full control, UI Manipulation to force transactions (especially on banking apps), and opening of webview leading to phishing attacks.|
| HackerOne to handle most of the operations |
|Google's partner for this program, HackerOne is going to handle most of the back-end operations of the bug bounty program, including inviting whitehat hackers into new sections of the program being rolled out, submitting reports, etc.
The tech giant has so far paid around $9 million in rewards for its broader bug bounty program for the Android mobile OS as well as Chrome.