Along with a smattering of changes it brought to Play Store very recently, Google has now also announced the launch of an official bug bounty program that'll reward anyone who can find security vulnerabilities or possible viruses in third-party apps on the Play Store.
Bug bounty programs, for those unaware, are initiated directly by the company to seek help from hackers, cybersecurity professionals, and researchers in finding malware and other viruses in an app. For game companies, like with Nintendo, they're sometimes used as a way to find out if the console has any flaws that can lead to piracy.
Google Launches Bug Bounty Program For Play Store Apps
Google has been facilitating a bug bounty program for years now, but mostly for its proprietary apps. Now, the company is expanding the program to include popular third-party apps as well, and it's going to give anyone who can find flaws plenty of money to reward their hard work.
As published in bug bounty platform HackerOne, Google is now seeking hackers to unearth software vulnerabilities in several popular apps currently available on the Play Store. Anyone interested in taking up Google's challenge and succeeds will get $1,000 for each verified software vulnerability.
For now, the program only includes remote-code-execution vulnerabilities and proof of concepts that run on Android 4.4 KitKat or higher.
Google Play Security Reward Program Rules
Also, the bug bounty program only includes Android apps Google itself had developed, in addition to the following third-party apps: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder, although some of the companies behind these apps also have their own bug bounties. It's easy to imagine that Google will add more third parties going forward.
According to the Play Security Reward Program page, developers of popular apps are invited to opt-in to the bug bounty program, which aims to incentivize research in the form of crowdsourcing hackers for any vulnerabilities they might find.
Here are some important notes about the bug bounty, as detailed in HackerOne:
"All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer."
"Additionally, only issues that have been patched within the last 90 days will qualify. If you wait longer than 90 days from a fix being made publicly available, your report will not qualify!"
Thoughts about Google's bug bounty program? As always, feel free to sound off in the comments section below!