In the wake of growing incidents of the presence of malicious apps on the Play Store, Google has now taken a much-needed step. Reportedly, Google has announced an expansion in its bug bounty program for its Play Store.
Google Expands Bug Bounty For Play Store
As revealed from a recent blog post, Google is now expanding the scope of its bug bounty program for the Play Store.
Google started it off as Google Play Security Reward Program (GPSRP) back in 2017 with an aim to ensure security across the applications on Google Play Store.
Now, as evident from the recent announcement, Google is now further expanding the scope of GPSRP. Specifically, the program will now include all applications with 100 million or more downloads. These apps qualify for the program regardless of whether the developers have their own vulnerability reward or bug bounty programs.
Regarding how this will work, Google’s Security & Privacy officials for Android stated in the blog,
In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google.
Google also urges all app developers to launch their own bug bounty or vulnerability disclosure programs for direct collaboration with the security researcher community.
GPSRP Overview
Google launched its GPSRP for apps two years ago. The program initially offered bounties of up to $5000 for remote code execution bugs. Whereas, the other bugs resulting in private data theft or risk to app’s security offered rewards up to $1000.
However, keeping in view the lack of traction of GPSRP for the researchers, Google increased its payouts in July this year. Specifically, they announced rewards up to $20,000 (instead of $5000) for remote code execution bugs. Whereas, the $1000 rewards were raised up to $3000. Nonetheless, the program included only a subset of the apps.
The tempting inclusion of all apps with 100 million (or more) downloads will make Google’s Play Store bug bounty program even more attractive for the researcher community.