Google is introducing a new program to help root out vulnerabilities in third-party apps in its Google Play storefront. The Google Play Security Reward Program will pay researchers who discover problems in popular Android apps found in the store.
Google has maintained bug bounty programs for products such as Chrome, Chrome OS and others, paying thousands of dollars for vulnerabilities. Developers of popular apps are invited to opt-in to the program to “proactively [improve] the security of some of the most popular Android apps on Google Play.”
The company is collaborating with vulnerability coordination and bug bounty platform HackerOne. Developers are only able to participate if they’re willing to respond to and fix the bugs in a timely manner, must follow HackerOne’s disclosure guidelines and provide detailed reports. Presently, Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat, and Tinder are eligible for rewards, but Google says that this list will expand with time.
According to HackerOne, hackers will identify app vulnerabilities and report it to the developer, and both work out a resolution within 90 days. The hacker then requests a reward from the program. Once it’s evaluated and found to meet Google’s criteria, the finder will be awarded $1000.