In 2017, Google launched the Play Security Reward Program to encourage researchers to find vulnerabilities in first and third-party applications. The initiative now includes all Android applications with over 100 million installs.
GPSRP allows security researchers to find bugs and report them directly to the application developer. Once addressed, Google will issue a reward bounty, with this program helping address problems in popular Android apps. Google has already paid out $265,000 in bounties, and recently increased rewards.
Google today is increasing GPSRP’s scope to cover all apps in the Play Store with over 100 million installs. This allows issues to be reported even when the app developer lacks a vulnerability disclosure or bug bounty program. Google Play will help responsibly disclose identified vulnerabilities in those situations. The program previously required interested Android developers to apply for inclusion with Google then determining eligibility.
This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.
This program also helps Google create automated checks that can be used to scan all apps in the Play Store for similar vulnerabilities. Part of the App Security Improvement program, this existing initiative has helped 300,000 developers fix more than 1,000,000 applications.
In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.
Google today is also launching a Developer Data Protection Reward Program with HackerOne focussed on data abuse. It’s aimed at identifying and mitigating problems in Android apps, OAuth projects, and Chrome extensions.