With the avalanche of security vulnerabilities in popular Android apps – that have been installed on millions of smartphones—Google announced today that it’s making big changes to its Google Play Security Reward Program (GPSRP).
Google to include popular third-party apps in its security bug bounty program
The most important change in GPSRP, Google’s security reward program for its Google Play Store, is that security researchers can now claim a reward for security vulnerabilities in applications that were not developed by the search giant.
“We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs,” in a post published by Google engineers Patrick Mutchler, Sebastian Porst (Google Play Protect) and Adam Bacchus who runs GPSRP. “These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program.”
In the case where a security researcher found a security vulnerability in a popular app that doesn’t have a bounty program, Google will then help the hacker to responsibly disclose the identified vulnerabilities to the affected app developer and pay the bonus reward.
If the developer of a popular app already has a disclosure program, security researchers will then be able to collect the cash reward directly from the app developer on top of the reward from Google.
Prior to today’s announcement, security researchers had no easy way to be rewarded for responsibly disclosing severe security vulnerabilities to app developers that don’t have a security bounty program.
At this time, only the following three vulnerabilities qualify for GPSRP:
- Remote Code Execution (RCE) – $20,000: The RCE vulnerability should allow an attacker to run a native ARM code of their choosing on a user’s device without user knowledge or permission
- Theft of insecure private data – $3,000: Unauthorized access to personally identifiable information in a way that an attacker can steal them from Android devices with default security settings
- Access to protected app components – $3,000: Where an app component processes a passed Intent (e.g. from startActivity, sendBroadcast, startService, or bindService) from another app without properly validating the Intent, resulting in the target app performing an operation that the sending app doesn’t have permission to do
With the expansion of GPSRP to non-Google apps, the Silicon Valley company hopes to incentivize security researchers to adopt its bug bounty model instead of making public disclosures, which could cause massive disruptions, or worse, selling their exploits to the underground hacking scene.
Some of the app developers that are participating in the new expanded Google Play Security Reward Program include Grammarly, Livestream, Priceline, Shopify, Showmax, Spotify, Sweatcoin and Zomato.