Google has a plethora of bug bounty programs that help it stay on top of black hat hackers. To keep incentives high, the company is constantly tweaking these programs' general frameworks and has recently increased Chrome's vulnerability rewards. Today, Google announced an expansion of its bug bounty system on Google Play to include all apps with 100 million downloads or more. It also introduced privacy-focused rewards for researchers identifying data abuse issues in apps.

Previously, only vulnerabilities submitted to app developers' own programs were eligible for bounty payout. Finding bugs in other apps wouldn't give white hat hackers a monetary incentive at all. This changes today: Security researchers can disclose issues with any app sporting more than 100 million downloads directly to the Google Play Security Reward Program. The company then works with the developer in question to fix these bugs. On top of that, Google promises double payout if developers already have their own programs – researchers just have to disclose bugs to both parties. Data collected through these reports is used by Google to enhance its App Security Improvement system, which automatically notifies other developers about similar issues.

The new Developer Data Protection Reward Program, created in collaboration with HackerOne, isn't only meant to identify data abuse issues in Android apps, but also OAuth projects and Chrome extensions. It focuses on "situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent." Anyone coming forward with "verifiably and unambiguous evidence of data abuse" is eligible for payout and while no maximum rewards are disclosed at the time, Google says a "single report could net as large as a $50,000 bounty."

Both measures should further incentivize hackers to disclose vulnerabilities. Hopefully, future malware disasters will be caught much faster this way.

Source: Google

PRESS RELEASE