Google Expands Scope of Its Bug Bounty Programme, Unveils Data Protection Reward Programme for Developers

It appears that the recent surge in the number of malware-loaded apps that have managed to rake millions of downloads have forced Google to reconsider its data security strategy. To effectively handle the threats, Google has widened the scope of its Google Play Security Reward Program (GPSRP) to cover all apps that have amassed over 100 million downloads on the Play Store. This effectively means Google is providing a bug bounty for finding vulnerabilities in third-party apps. Additionally, the company has also launched the Developer Data Protection Reward Program (DDPRP) in collaboration with HackerOne to discover and eliminate data abuse issues spotted in Android apps, OAuth projects, and Chrome extensions.

Google has actively been purging malware-laden apps from the Play Store, but the company has been having a hard time with it, especially when some very popular apps are found to be complicit. Take for example the CamScanner app, which had over 100 million downloads, but was recently booted from the Play Store for seeding an advertising malware. To more effectively curb such instances, Google has expanded its Google Play Security Reward Program (GPSRP) to cover all apps that have clocked 100 million or more downloads on the Play Store.

Security researchers can now collect bounty for discovering vulnerabilities and serious security bugs in eligible apps, even if the developers are not running a bug bounty programme. And in case a developer-side bug bounty programme exists, researchers can collect rewards from them as well as Google as an added incentive. As for the rewards, finding a RCE (Remote Code Execution) vulnerability will pocket the security researcher a cool $20,000 (roughly Rs. 14,31,000). Discovery of vulnerabilities that lead to data theft will be rewarded with $3,000 (roughly Rs. 2,15,000), while those that concern access to a protected app component will net the finder an equivalent amount.

In addition to tweaking the bug bounty programme, Google has also unveiled the Developer Data Protection Reward Program (DDPRP) in collaboration with HackerOne. The goal of DDRP is to “identify and mitigate data abuse issues in popular Android applications, OAuth projects, and Chrome extensions”. Under the aegis of DDPRP, Google will reward developers who find apps that violate Google Play, Google API or the Google Chrome Web Store programme policies.

Apps that mishandle local phone data, those that share sensitive information with third-party advertisers, an extension that violates Chrome Web Store's minimum user data privacy requirements, are among the instances that Google wants to identify and eliminate. 

In case data abuse is spotted, the app or Chrome extension will duly be removed from the Play Store and the Google Chrome Web Store. On a similar note, involvement in abusing access to Gmail restricted scopes will result in the removal of API access. A peak reward is yet to be listed, but security researchers can expect to net a bounty as large as $50,000 (roughly Rs. 36,80,000) if the discovery is really impactful