San Francisco, Oct 20: Google has launched a new bug bounty programme for security experts where the company will pay $1,000 for finding security flaws in Android apps and then reporting it to Google researchers. "The Google Play Security Reward Programme recognises the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure," the tech giant said on its website late on Thursday. All Google's apps are included and developers of popular Android apps are invited to opt-in to the programme being run in partnership with HackerOne. "Through the programme, we will further improve app security which will benefit developers, Android users and the entire Google Play ecosystem," the company said.
For now, the scope is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher. "This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user's device without user knowledge or permission," Google said. This is how it works. Researcher identifies vulnerability within an in-scope app and reports it directly to the app's developer via their current vulnerability disclosure or bug bounty process. App developer then works with the researcher to resolve the vulnerability. Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security. "The programme will evaluate each submission based on the vulnerability criteria. A reward of $1,000 will be rewarded for issues that meet this criteria," Google said. "We are unable to issue rewards to individuals who are on US sanctions lists or who are in countries (Crimea, Cuba, Iran, North Korea, Sudan and Syria)," it added.