Connect with us

Hi, what are you looking for?


Management & Strategy

Google Offers Big Bounties for Data Abuse Reports

Google announced on Thursday the launch of a new reward program for data abuse, and the expansion of the Google Play bounty program to include Android applications with over 100 million installs.

Google announced on Thursday the launch of a new reward program for data abuse, and the expansion of the Google Play bounty program to include Android applications with over 100 million installs.

The Google Play Security Reward Program (GPSRP) now includes all the Android applications hosted on Google Play that have over 100 million installations, and vulnerabilities found in these apps will be rewarded by Google even if the developer does not have a vulnerability disclosure or bug bounty program.

If the developer does have a bug bounty program, researchers can receive rewards from both the developer and Google.

“In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” employees of Google’s Android Security & Privacy department explained in a blog post.

Google recently announced that it tripled and even quadrupled some of the rewards offered through the GPSRP. The company says it has paid out a total of more than $256,000 in bounties through this program, including $75,000 in July and August alone as a result of the higher rewards.

According to Google, data from the GPSRP helps it automatically scan all Google Play apps for vulnerabilities similar to the ones reported. Developers whose apps are found to be vulnerable are notified in the Play Console through the App Security Improvement program. Google says this program has helped over 300,000 developers address bugs in over one million apps.

Google also announced on Thursday the launch of the Developer Data Protection Reward Program (DDPRP). The DDPRP, run in collaboration with HackerOne, is meant to encourage security researchers to report Android apps, Chrome extensions and OAuth projects that use, sell or repurpose user data without consent, thus violating Google Play, Google API or Chrome Web Store policies.

Advertisement. Scroll to continue reading.

“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed,” Google said.

Google says this program does not currently have clear reward guidelines, but a single abuse report can be worth as much as $50,000.

Facebook runs a similar data abuse program and the social media giant recently expanded it to include Instagram as well.

Related: Flaw in Outlook for Android Allows for Data Theft

Related: Google Paid Out $3.4 Million for Vulnerabilities Reported in 2018

Related: XSS Vulnerability Exposed Google Employees to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.