Google started a program, called the “Google Play Security Reward” which is aiming to get researchers to work directly with Android app developers to find vulnerabilities. The news is that the company is launching the Google Play bounty program which will encourage researchers to poke around in some of Android’s most popular apps to find flaws and glitches. If you help a developer squash a bug, Google will pay you $1000 on top of whatever bounty the third party developer might pay.
Everything we know about the program till now:
- It is not for all apps. The program includes only a limited selection of apps at the moment. The list consists of Alibaba, Dropbox, Duolingo, Headspace, LINE, Snapchat and Tinder along with “all Google-developed Android apps available on Google Play”.
- Google is still inviting Apps to the program; once the program opens up to more apps, it will be notified.
- Researchers will act directly with the app developer. once they find the vulnerabilities and fix the bug, the researcher tells Google and issues the $1000 reward. Google doesn’t want to know about the bug before it is fixed. “This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer,” it notes.
- Google is looking for a specific and nasty issue. They are currently focusing on fixing the bugs that force an app to download/execute arbitrary code, manipulating an app’s UI to force a transaction or force an app to open a webview that might be used for phishing.
Google is relying on HackerOne to handle much of the back end of this program. Earlier, Google’s wider bug-bounty program that included Chrome and Android itself. has paid out around $9 million as of January 2017.