Google announced on Thursday the launch of a new reward program for data abuse, and the expansion of the Google Play bounty program to include Android applications with over 100 million installs.
The Google Play Security Reward Program (GPSRP) now includes all the Android applications hosted on Google Play that have over 100 million installations, and vulnerabilities found in these apps will be rewarded by Google even if the developer does not have a vulnerability disclosure or bug bounty program.
If the developer does have a bug bounty program, researchers can receive rewards from both the developer and Google.
“In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” employees of Google’s Android Security & Privacy department explained in a blog post.
Google recently announced that it tripled and even quadrupled some of the rewards offered through the GPSRP. The company says it has paid out a total of more than $256,000 in bounties through this program, including $75,000 in July and August alone as a result of the higher rewards.
According to Google, data from the GPSRP helps it automatically scan all Google Play apps for vulnerabilities similar to the ones reported. Developers whose apps are found to be vulnerable are notified in the Play Console through the App Security Improvement program. Google says this program has helped over 300,000 developers address bugs in over one million apps.
Google also announced on Thursday the launch of the Developer Data Protection Reward Program (DDPRP). The DDPRP, run in collaboration with HackerOne, is meant to encourage security researchers to report Android apps, Chrome extensions and OAuth projects that use, sell or repurpose user data without consent, thus violating Google Play, Google API or Chrome Web Store policies.
“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed,” Google said.
Google says this program does not currently have clear reward guidelines, but a single abuse report can be worth as much as $50,000.
Facebook runs a similar data abuse program and the social media giant recently expanded it to include Instagram as well.
Related: Flaw in Outlook for Android Allows for Data Theft
Related: Google Paid Out $3.4 Million for Vulnerabilities Reported in 2018
Related: XSS Vulnerability Exposed Google Employees to Attacks
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
- Microsoft Adding New Security Features to Windows 11
- Sony Investigating After Hackers Offer to Sell Stolen Data
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
Latest News
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk
- Firefox 118 Patches High-Severity Vulnerabilities
- Stolen GitHub Credentials Used to Push Fake Dependabot Commits
- Google Open Sources Binary File Comparison Tool BinDiff
- macOS 14 Sonoma Patches 60 Vulnerabilities
