Called the “Google Play Security Reward” program, the new program aims to get researchers to work directly with Android app developers to find vulnerabilities. If you help a developer squash a bug, Google will pay you $1000 bucks (on top of whatever bounty the third party dev themselves might pay.)
Here’s what we know so far:
The program only includes a limited selection of Android apps at the moment. Not all Android apps. The list currently includes Alibaba, Dropbox, Duolingo, Headspace, Line, Snapchat, and Tinder.Apps have to be invited into the program for now; when it eventually opens up to more apps, a rep from Google tells me it’ll be opt-in.Researchers will work directly with the app developer to confirm/squash vulnerabilities; once a bug is fixed, the researcher tells Google, who confirms the bug and issues the $1000 reward. Google doesn’t want to know about the bug before it’s fixed. “This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer,” it notes.As with most bug bounty programs, Google is looking for a specific type of nasty issue here. Not “this icon looks funny” kind of stuff. The scope currently includes forcing an app to download/execute arbitrary code, manipulating an app’s UI to force a transaction (they mention tricking a bank app to send money without a user’s consent as an example), or forcing an app to open a webview that might be used for phishing.