GOOGLE HAS EXPANDED its bug bounty programme to include the most popular apps on the Play Store.
Previously, the Google Play Security Reward Programme (GPSRP) covered just the top eight apps on Play Store, but now Google has made it more attractive for bug hunters by opening it up to all apps with 100 million or more installs.
"At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don't always come from within. It is for this reason that we offer a broad range of vulnerability reward programmes, encouraging the community to help us improve security for everyone," Google said.
"Today, we're expanding on those efforts with some big changes to Google Play Security Reward Programme (GPSRP), as well as the launch of the new Developer Data Protection Reward Programme (DDPRP)," it added.
Eligible researchers will get cash rewards from the company, even if developers are not running a bug bounty programme for their apps. If a developer has a bug bounty programme for its app, security researchers can still receive rewards from them as well as Google as an additional incentive.
However, the vulnerabilities must first be disclosed to the app developer and can be later notified to Google. The company will evaluate those vulnerabilities and offer the extra bounty as it deems appropriate.
Discovering a remote code execution (RCE) flaw will fetch a cool $20,000 award for the bug hunter. Finding vulnerabilities which result in data theft or those that allow access to a protected component of an app will be rewarded with $3,000.
Google has also launched a Developer Data Protection Reward Programme, in partnership with HackerOne, which will provide security researchers with a cash reward up to $50,000 for finding "data abuse issues" in Chrome extensions, Android apps, etc.
According to Google, any app which is found using or selling users' data without user consent will be deleted from the Chrome Web Store or Play Store. The security researcher who finds such an app will be eligible to receive a reward of up to $50,000 from the company.
The bug bounty programmes of leading tech firms like Microsoft, Google, Intel and Apple are today offering individuals bounties as high as $1,500,000 for reporting critical issues. µ
But it's bad news for UK job-seekers
The 7T and 7T Pro arrive in Blighty
Dude, where's my cores?
Not even a new logo could save it