Google has announced a new bug bounty programme of $1000 on Thursday, to all those who find security flaws in Android apps and report it to Google.
“The Google Play Security Reward Programme recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure,” the tech giant said on its website.
In the programme being run in partnership with HackerOne, all Google’s apps are included and developers of popular Android apps are invited to opt-in.
“Through the programme, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem,” the company said.
Currently, the scope is limited to RCE (remote-code-execution) vulnerabilities and corresponding POC (Proof of concepts) that work on Android 4.4 devices and higher.
“This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission,” Google said.
How will it work?
Researcher identifies vulnerability within an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure or bug bounty process. App developer then works with the researcher to resolve the vulnerability.
Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security.
“The programme will evaluate each submission based on the vulnerability criteria. A reward of $1,000 will be rewarded for issues that meet this criteria. We are unable to issue rewards to individuals who are on US sanctions lists or who are in countries (Crimea, Cuba, Iran, North Korea, Sudan and Syria),” Google added.