This week the folks at Google responsible for destroying bugs in software have expanded their bug bounty program. Adam Bacchus, Sebastian Porst, and Patrick Mutchler of Android Security and Privacy released a statement on the subject, suggesting that they are “increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs.” GPSRP stands for Google Play Security Reward Program. Google also launched a new program along similar lines called the Developer Data Protection Reward Program (DDPRP).
With this latest increase in scope for the Google Play Security Reward Program, bugs found in all relatively major apps in the Google Play app store are potentially viable for reward. This program works for bugs in major apps even if the developers of said apps do not have a bug bounty program of their own. Google always encourages major app developers to have their own vulnerability disclosure program available, but in these cases, will assist in responsibly disclosing identified vulnerabilities to said developers.
If developers DO have vulnerability disclosure programs and bug bounty programs, bug hunters can potentially earn bounties from both the developer and Google. Google will still work with the developer, communicating with Google Play as part of the App Security Improvement (ASI) program, and the security researcher (bug hunter) can still potentially earn bounties from both parties.
The Developer Data Protection Reward Program is another new bounty program from Google. This DDPRP program was initiated in collaboration with HackerOne, and is meant “to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.”
With DDPRP, Google is aiming to gather reports on apps that are “violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.” This program wants to find “verifiably and unambiguous evidence of data abuse”, with specific emphasis on “situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.”
More on DDPRP can be found on HackerOne, where with just 9 reports resolved at this moment, the average bounty sits at around $500 a pop. Google suggested today that no reward table or maximum reward is in place at this time, but that a single report “could net as large as a $50,000 bounty.”