Google increases the scope of its Play Security Reward Program, introduces the Developer Data Protection Reward Program
Google is always looking for ways to improve the privacy and security of their many products. One of the ways they do this is by rewarding the community for finding vulnerabilities. It helps Google find more things to fix, and it rewards people for helping out. Win/win. Today, the company has announced an expansion on the Google Play Security Reward Program and the launch of the Developer Data Protection Reward Program.
In July, Google rolled out some updates to the Google Play Security Reward Program, which used to only cover apps that specifically opted-in to the program. Google raised the reward amounts across the board. Now, the program will automatically include all apps in the Play Store with over 100 million installs. These apps are now eligible for rewards, even if the developers don’t have their own vulnerability disclosure or bug bounty program. If they do have their own programs, people can collect rewards from both.
If an app is affected by a vulnerability, developers will be notified through the Play Console. To date, Google says the program has paid out over $265,000 in bounties. Just in the last two months alone, after the reward increases, $75,000 has been paid out.
Next up is the new Developer Data Protection Reward Program. This is a bounty program in collaboration with HackerOne. The purpose of this program is to identify and mitigate data abuse in apps, OAuth projects, and Chrome extensions. It rewards people in a similar way to Google’s other reward programs for finding evidence of data abuse. One focus of the program is to find situations where user data is being sold or traded without the user’s consent. A single report could net as large as a $50,000 bounty.
Both of these programs are out there to protect users and improve experiences with Google’s many products. You can learn more about the Google Play Security Reward Program and the Developer Data Protection Reward Program at their respective pages at HackerOne. This is also where you should go o submit reports.