Play Store bug bounty program expands to all apps with 100 million+ downloads – Android Police

Google has a plethora of bug bounty programs that help it stay on top of black hat hackers. To keep incentives high, the company is constantly tweaking these programs’ general frameworks and has recently increasedChrome’s vulnerability rewards. Today, Google announced an expansion of its bug bounty system on Google Play to include all apps with 100 million downloads or more. It also introduced privacy-focused rewards for researchers identifying data abuse issues in apps.

Previously, only vulnerabilities submitted to app developers’ own programs were eligible for bounty payout. Finding bugs in other apps wouldn’t give white hat hackers a monetary incentive at all. This changes today: Security researchers can disclose issues with any app sporting more than 100 million downloads directly to theGoogle Play Security Reward Program. The company then works with the developer in question to fix these bugs. On top of that, Google promises double payout if developers already have their own programs – researchers just have to disclose bugs to both parties. Data collected through these reports is used by Google to enhance its App Security Improvement system, which automatically notifies other developers about similar issues.

The newDeveloper Data Protection Reward Program, created in collaboration with HackerOne, isn’t only meant to identify data abuse issues in Android apps, but also OAuth projects and Chrome extensions. It focuses on “situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.” Anyone coming forward with “verifiably and unambiguous evidence of data abuse” is eligible for payout and while no maximum rewards are disclosed at the time, Google says a “single report could net as large as a $50,000 bounty.”

Both measures should further incentivize hackers to disclose vulnerabilities. Hopefully,futuremalwaredisasterswill be caught much faster this way.

Expanding bug bounties on Google Play

August 29, 2019

Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler – Android Security & Privacy

We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes toGoogle Play Security Reward Program  (GPSRP), as well as the launch of the newDeveloper Data Protection Reward Program (DDPRP).

Google Play Security Reward Program Scope Increases

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program.  In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of theApp Security Improvement (ASI)program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.

To date, GPSRP has paid out over $265,000 in bounties. Recent scope andreward increaseshave resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.

Introducing the Developer Data Protection Reward Program

Today, we are also launching theDeveloper Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. Itrecognizesthe contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!

Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here