Google is now offering a bug bounty program for apps on Google Play and partnering with HackerOne to make the Google Play Security Rewards Program a reality, the company announced at its Playtime developer conference today.
The initiative will begin with Google apps already in the Play Store, Vineet Buch, the Director of Product Management for Google Play Apps & Games, told PCMag. A few third-party apps will also be included in the program, with the consent of the developers, before expanding to “cover as many apps as we can,” Buch said.
“The program will help us find security vulnerabilities and notify developers via security recommendations on how to fix them,” Buch wrote in a blog post. “We hope to bring the success we have with our other reward programs, and we invite developers and the research community to work together with us on proactively improving Google Play ecosystem’s security.”
Pay for Bugs
In a bug bounty program, companies pay out rewards for bugs and security vulnerabilities found by researchers or even members of the public. Bug seekers submit their findings, and if they prove to be legit, the company bestows a reward. In many cases, companies have a sliding scale for the bounties, paying out larger sums for more dangerous discoveries.
Buch told PCMag that HackerOne will be handling the information received from researchers, but Google is behind the money. “If this were a missing person’s report, we are the people offering the reward for the information,” Buch explained. “HackerOne is the police.”
Researchers who wish to participate will submit their findings directly to the developers of apps involved in the program. Once the vulnerability has been resolved, the researcher submits it to HackerOne. Based on Google’s Vulnerability Criteria, the company will pay out a reward of $1,000. In the future, other criteria may be added, creating more avenues for rewards, Google said.
Some examples of the kind of bugs Google is looking for include remote arbitrary code execution, UI manipulation that leads to a fraudulent transaction, and using the integrated webview browser to navigate to a phishing site. In short, the really big stuff.
The advantage of bug bounty programs is that they reward smart research but also incentivize ethical disclosure of vulnerabilities. Would-be attackers now have the choice between turning malicious research into fast, legal cash, rather than taking the risk of trying to profit from illegal activity.
Google’s new bug bounty program is just the latest in a series of efforts to improve Android security, both in the code and in the minds of the general public. Two years ago, the company committed to monthly security updates after carrying out the largest software patch in history to fix the Stagefright vulnerability. Along with security updates to Android O, Google has also begun highlighting how much vetting happens within Google Play itself by affixing a little green shield to apps in the Play store.
Today’s announcement was just one of many at the Playtime developers conference, which takes place in Berlin and San Francisco and highlights new initiatives for developers. Of note is an effort to host more instant apps, which don’t require installation from users to function. Also notable is a new initiative to improve subscription retention by halving Google’s 30 percent transaction fee to 15 percent on subscriptions that have lasted for more than a year.