Google expands bug bounty programme with $20,000 rewards for discovering bugs in Play Store apps

Google will now reward security researchers for discovering flaws on any app on the Play Store with 100+ million installs

Google has expanded the scope of its bug bounty programme to include the most popular apps on the Play Store.

Previously, the Google Play Security Reward Programme (GPSRP) covered just the top-eight apps on Play Store, but now Google has made it more attractive for bug hunters after a series of allegations about insecure apps in the Google Play store.

"At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don't always come from within. It is for this reason that we offer a broad range of vulnerability reward programmes, encouraging the community to help us improve security for everyone," Google stated in an online announcement.

"Today, we're expanding on those efforts with some big changes to Google Play Security Reward Programme (GPSRP), as well as the launch of the new Developer Data Protection Reward Programme (DDPRP)," it added.

Google will now reward security researchers for discovering flaws on any app on the Play Store with 100 million or more installs.

Eligible researchers will get cash rewards from the company, even if developers are not running a bug bounty programme for their apps. If a developer has a bug bounty programme for its app, security researchers can still receive rewards from them, as well as from Google.

The company will offer researchers bounties of up to $20,000 for discovering vulnerabilities in an app.

However, the vulnerabilities must first be disclosed to the app developer and can later be notified to Google. The internet giant will evaluate the vulnerabilities and offer the extra bounty as it deems appropriate.

Discovering a remote code execution (RCE) flaw, for example, will fetch a cool $20,000 award for the bug hunter. Finding vulnerabilities that could result in data theft or which enable access to a protected component of an app will be rewarded with $3,000.

Google has also launched a Developer Data Protection Reward Programme, in partnership with HackerOne, which will provide security researchers with a cash reward up to $50,000 for finding "data abuse issues" in Chrome extensions, Android apps, etc.

According to Google, any app that is found using or selling users' data without user consent will be deleted from the Chrome Web Store or Play Store. The security researcher who finds such an app will be eligible to receive a reward of up to $50,000 from the company.

The bug bounty programmes of leading tech firms like Microsoft, Google, Intel and Apple are today offering individuals bounties as high as $1.5 million for reports of critical security issues.

Just last week, HackerOne platform announced that six ethical hackers had become millionaires by reporting security flaws via its bug bounty programmes.

Last month, Apple also announced that it was increasing its maximum bug bounty from $200,000 to $1 million in a bid to ensure security researchers turn-in any security flaws they find to Apple - rather than selling them on the grey market.

In 2018, Microsoft announced to open up a bug bounty programme, offering up to $250,000, for finding major, Meltdown and Spectre-level security bugs.