Google has launched a bug bounty program for popular apps available on its Play Store. Dubbed the Play Security Reward Program, the bug bounty will be offered through the HackerOne platform and is not aimed at Google's own Android apps.
Instead, Google will pay security researchers to hack apps developed by other people. Only popular apps will be included in the program's scope.
Google, and not the developers of these apps, will foot the bill for any bug reports security researchers find. Google said bug bounties can go up to $1,000 per approved submission.
The program launched today on HackerOne with 13 apps from eight developers — Alibaba, Dropbox, Dulingo, Headspace, Line, Mail.ru, Snapchat, and Tinder.
The bug bounty is limited to a limited number of developers, but Google says it will expand it to more apps and app developers in the future, as it irons out the finer details.
Google also says that bugs found in these apps and reported via the Play Security Reward Program will benefit all app developers.
The company pledged to scan all apps uploaded to its official Play Store for the same vulnerability and alert other app owners (for free) if their apps are vulnerable to the same bugs reported via the bug bounty program.
According to Google, "the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher."
The good news is that researchers don't need to bypass OS-level sandbox protections for an RCE bug report to be accepted. Vulnerabilities that require app collusion are not accepted.
More details and the bug bounty program's full rules are available on the HackerOne portal.