Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Google Offers Big Bounties for Data Abuse Reports

Google announced on Thursday the launch of a new reward program for data abuse, and the expansion of the Google Play bounty program to include Android applications with over 100 million installs.

Google announced on Thursday the launch of a new reward program for data abuse, and the expansion of the Google Play bounty program to include Android applications with over 100 million installs.

The Google Play Security Reward Program (GPSRP) now includes all the Android applications hosted on Google Play that have over 100 million installations, and vulnerabilities found in these apps will be rewarded by Google even if the developer does not have a vulnerability disclosure or bug bounty program.

If the developer does have a bug bounty program, researchers can receive rewards from both the developer and Google.

“In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” employees of Google’s Android Security & Privacy department explained in a blog post.

Google recently announced that it tripled and even quadrupled some of the rewards offered through the GPSRP. The company says it has paid out a total of more than $256,000 in bounties through this program, including $75,000 in July and August alone as a result of the higher rewards.

According to Google, data from the GPSRP helps it automatically scan all Google Play apps for vulnerabilities similar to the ones reported. Developers whose apps are found to be vulnerable are notified in the Play Console through the App Security Improvement program. Google says this program has helped over 300,000 developers address bugs in over one million apps.

Google also announced on Thursday the launch of the Developer Data Protection Reward Program (DDPRP). The DDPRP, run in collaboration with HackerOne, is meant to encourage security researchers to report Android apps, Chrome extensions and OAuth projects that use, sell or repurpose user data without consent, thus violating Google Play, Google API or Chrome Web Store policies.

“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed,” Google said.

Google says this program does not currently have clear reward guidelines, but a single abuse report can be worth as much as $50,000.

Facebook runs a similar data abuse program and the social media giant recently expanded it to include Instagram as well.

Related: Flaw in Outlook for Android Allows for Data Theft

Related: Google Paid Out $3.4 Million for Vulnerabilities Reported in 2018

Related: XSS Vulnerability Exposed Google Employees to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.