Google expanded bug bounty program to popular Android apps, including software vulnerabilities and data abuse violations

Briefing

Google expanded bug bounty program to popular Android apps, including software vulnerabilities and data abuse violations

October 22, 2019

Briefing

  • Expanded Bug Bounty Program – Google has expanded Google Play Security Reward Program, incentivizing security researchers and crowdsourced hackers to report vulnerabilities in non-Google Android apps on Play Store with more than 100 million installs
  • Qualifying Entries – Include remote code execution (RCE) vulnerabilities that enable hacker to download code and run another code without user knowledge (such as hacker gaining control of app), theft of private data, and unauthorized access to app security and privacy settings
  • Data Abuse Violations – Launched Developer Data Protection Reward Program which will reward anyone reporting apps, OAuth projects and Chrome extensions that have unauthorized data sharing, use and access practices with clear evidence of violations
  • Rewards – Range from $3,000 to $20,000 for qualified entries, $500 for vulnerabilities already known to Google but may still affect several apps, and other amount/s at Google’s discretion for data abuse violations
  • Mechanics – Requires vulnerabilities to be reported to app developer directly except for data abuse issues which should be shared with Google first, disqualifies Google employees and partnering companies from competing, and rewards first to submit in case of duplication
  • Google Properties – Bugs for Google-owned properties (e.g. YouTube, Android apps, Google Home, Nest, etc.) except recent acquisitions should be submitted to Google Vulnerability Reward Program (VRP), established since November 2010, with rewards up to $31,337 for bugs and additional $100,000 prize for Google Cloud Platform

Accelerator

Business Model and Practices

Business Model
and Practices

Sector

Information Technology

Function

Research and Development

Organization

Google Inc.

Source

Original Publication Date

August 29, 2019

Leave a comment