Skip to main content

Google is expanding its bug bounty program to more apps on the Play Store

What you need to know

  • Google is expanding its Security Reward Program and launching a new Developer Data Protection Reward Program.
  • The Security Reward Program now covers all apps on Google Play with 100 million or more installs — even if app developers don't have a bug bounty program set up.
  • With the Developer Data Protection Reward Program, Google aims to crack down on data abuse in apps.

The Google Play Store is filled with a seemingly endless number of apps, and in an age where digital security is becoming more and more important, having systems in place to ensure these apps are as stable and secure as can be is critical. On August 29, Google announced a couple of big changes coming to the Play Store to help with this effort.

First thing's first, the existing Google Play Security Reward Program (GPSRP) is getting a considerable revamp. The GPSRP was launched in June 2017 with HackerOne to help identify bugs in apps, and today, it's being expanded to include any apps on the Play Store that have at least 100 million installs — even if the developers of said apps don't have their own bug bounty program established.

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don't have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps.

Since it was launched a little over two years ago, the GPSRP has paid out more than $265,000 in bug bounties.

In addition to the GPSRP getting revamped, Google's also launching a new initiative called the "Developer Data Protection Reward Program" (aka DDPRP).

Google's once again working with HackerOne, and with DDPRP, the companies aim to:

Identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.

DDPRP will compensate anyone that's able to "provide verifiably and unambiguous evidence of data abuse", with maximum bounties being as high as $50,000.

Google Pay shouldn't be so terrible in 2019

Joe Maring was a Senior Editor for Android Central between 2017 and 2021. You can reach him on Twitter at @JoeMaring1.

1 Comment
  • Seems a good idea.