Google expands and adds new bug bounty service

News by Doug Olenick

Google is expanding its bug bounty series, launching the new Developer Data Protection Reward Programme and expanding the scope of the Google Play Security Reward Programme

Google is expanding its bug bounty series launching the new Developer Data Protection Reward Programme (DDPRP) and expanding the scope of the Google Play Security Reward Programme (GPSRP).

The DDPRP will operate in conjunction with HackerOne to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. The programme’s goal is to identify situations where user data is being illegally used or sold, or repurposed in an illegitimate way without user consent. The offending app or Chrome extension will then be removed and the finder will be rewarded with the top-end bounty hitting $50,000.

GPSRP will now cover all apps in Google Play that have recorded more than 100 million downloads. Google will help responsibly disclose and then reward bug hunters for flaws found in these apps even if the original developer does not have a bounty programme. If the app developer does have its own programme the hunter can take home both rewards.

"This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programmes, researchers can collect rewards directly from them on top of the rewards from Google," Google reported.

So far, GPSRP has paid out over $265,000 (£215,000) in bounties.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews