Google offers Play app store bounty program

By on
Google offers Play app store bounty program

Limited to specific apps and vulnerabilities.

Google has opened a bug bounty program for its Play store to help it discover vulnerabilities and improve security.

The program does not cover every app in the app repository, however.

All Android apps developed by Google are in scope for the bounty program, which is run by HackerOne.

Apps from Alibaba, Dropbox, Duolingo, Headspace, Line,, Snapchat and Tinder also qualify for bounties, but vulnerabilities have to be submitted to the companies in question first.

Google has also limited the vulnerabilities that qualify for bounties to remote code execution (RCE) on user devices running Android 4.4 or higher. 

Specifically, Google asks for proofs of concept for RCE vulnerabilities that allow attackers to gain full control of devices.

Other types of vulnerabilities that qualify for rewards include those that cause banking apps to make money transfers without user consent, and open webviews that could lead to phishing attacks.

Researchers up to US$31,337 with an additional discretionary bonus of US$1000 under the Play security rewards program. 

Reports of malware infecting Google's Play Store have become more common in recent years.

In August Google pulled more than 500 apps from the store after they were found to contain a software development kit (SDK) that could download malicious plug-ins at will. That same month researchers discovered banking malware hiding in the app store as well as a botnet controller.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?