Google has decided to expand the scope of one of its bug bounty programs as well as launch another security rewards initiative.
On 29 August, Android Security & Privacy team members Adam Bacchus, Sebastian Porst, and Patrick Mutchler announced that the Google Play Security Reward Program (GPSRP) will now cover all Google Play apps with over 100 million downloads. This change means that security researchers can receive rewards for submitting eligible vulnerability reports regardless of whether those apps’ developers have their own vulnerability disclosure frameworks. If they do, security researchers can potentially collect bounties from both the GPSRP as well as the app developer’s program.
Since its launch in June 2017, GPSRP has awarded $265,000 in bounties. The program gave out $75,000 in July and August 2019 alone as the result of scope and reward increases.
In the same announcement, Bacchus, Porst and Mutchler disclosed the launch of the Developer Data Protection Reward Program (DDPRP) in collaboration with HackerOne. The program will reward security researchers who identify when apps violate Google Play, Google API or Google Chrome Web Store Extensions program policies. As the researchers noted in a statement:
The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.
Google will remove an offending app from Google Play or the Google Chrome Web Store. If security researchers demonstrate that a program is abusing access to Gmail restricted scopes, Google will remove its API access.
Researchers can expect to receive up to $50,000 for submitting an eligible report under this program.
For a list of other bug bounty programs through which researchers can receive rewards in 2019, click here.