Google has launched a new bug bounty program for security experts where the company will pay $1,000 (approximately Rs 65,100) for finding security flaws in Android apps and then reporting it to Google researchers.
“The Google Play Security Reward Programme recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure,” the tech giant said on its website late on Thursday.
All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program being run in partnership with HackerOne.
“Through the program, we will further improve app security which will benefit developers, Android users and the entire Google Play ecosystem,” the company said.
For now, the scope is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher. ALSO READ: Google Instant Apps now available on Play Store
“This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission,” Google said.
This is how it works. Researcher identifies vulnerability within an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure or bug bounty process. App developer then works with the researcher to resolve the vulnerability. Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security. ALSO READ: Google removes over 500 apps from Play Store over spyware
“The program will evaluate each submission based on the vulnerability criteria. A reward of $1,000 will be rewarded for issues that meet this criteria,” Google said. “We are unable to issue rewards to individuals who are on US sanctions lists or who are in countries (Crimea, Cuba, Iran, North Korea, Sudan and Syria),” it added.