Google Launches Google Play Security Reward Program

DZone 's Guide to

Google Launches Google Play Security Reward Program

Google has launched a program that rewards you for finding vulnerabilities and other qualifying bugs in popular Android apps. Interested? Read on for details.

· Mobile Zone ·
Free Resource

Google launched the Google Play Security Reward Program just a few days back in coordination with bug bounty platform HackerOne. However, Google itself runs its own bug bounties for Android, Chrome, and websites and is now expanding this concept to popular Android apps. For this, researchers will be paid a $1,000 reward for qualifying vulnerabilities.

As per HackerOne, hackers will identify app vulnerabilities and report them to the developers as soon as they find them. After this, the hacker will request a reward from the program. Once it is evaluated to check whether it meets Google's criteria or not, he will be awarded $1,000 for this.

Note: Google brings the bug bounty vulnerability research model to Android apps in the Play Store.

The Google Play Security Reward Program so far includes Dropbox, Alibaba, Duolingo, Line, Mail.Ru, Headspace, Tinder, and Snapchat.

How Does It Work?

To know how it works, one should be aware of "qualifying bugs" for which researchers are rewarded. These bugs are limited to RCE (remote code execution) flaws that work on Android devices with version 4.4 or above. This includes attacks which allow malicious code to be downloaded and executed, opening a webview in an app for phishing, and manipulating the user interface to cause a fraudulent transaction. Here is its working:

  • Researchers find bugs and report them directly to the app's developer via their current vulnerability disclosure process.

  • The bounty page consists of links to the page where they report issues to the participating firms.

  • The app developer fixes the bug while working with them.

  • Once the bug is resolved, the researchers request a reward from the Google Play Security Reward Program.

  • The Android Security team issues an additional reward to thank them for improving security within the Google Play ecosystem.

Many companies in the bounty program are already offering bug bounties separately via HackerOne or through their own programs. Some of these companies are listed below:

  • Tinder has bug bounty, which is a private program.

  • Dropbox has been running its bounty since 2014 and currently offers $15,625 for "trivial" RCEs affecting its Android app, iOS, and higher rewards for attacks on its servers.

  • Snapchat has already paid out approximately $140,000 via the HackerOne bounty program.

Google Play Security Reward Program Top Benefits

  • It aims to incentivize research in a bug bounty model.

  • It can improve Android app security which will benefit app developers.

  • It will also benefit the entire Google Play ecosystem and Android users.

  • It will resolve unknown vulnerabilities and make Android a safe computing platform.

Apart from these, there are plenty of other features. For details, please have a look at this following video:


As far we have seen, the Google Play Security Reward Program offers a lot of benefits/rewards to increase Android security. You might not be confused now for not opting into this program, even after watching the above video. In fact, you can easily install the app from the Google play store.

android ,google ,mobile ,mobile security

Published at DZone with permission of Arnab Sarkar , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}