Google adds all Android apps with +100m installs to its bug bounty program

Google will pay security researchers for bugs they report in non-Google Android apps that have over 100 million installs.

page.png

Google

Google expanded its bug bounty program today to include any Android app listed on the Play Store that has more than 100 million user installs.

This means that starting today, security researchers can report vulnerabilities in these apps to Google, and the Android OS maker will provide monetary rewards for valid bug reports.

All +100m Android apps are fair game now

All Android apps listed on the Play Store with over 100 million installs are eligible, and app developers don't have to sign up or do anything else.

Google will triage all bug reports via its Google Play Security Reward Program (GPSRP) on the HackerOne platform, and then relay the vulnerabilities to app developers. If apps fail to address the bugs, Google will remove them from the Play Store.

App developers such as Facebook, Microsoft, or Twitter, which have their private bug bounty programs are not excluded from the GPSRP.

Google said app developers could submit the same bug reports via the GPSRP, and then on those companies private bug bounty programs, and receive a reward for the same bug twice.

Google recently increased app bug rewards

Google launched the GPSRP in 2017. In the program's first three years, bug hunters could earn up to $5,000 for remote code execution bugs, or up to $1,000 for bugs that resulted in the theft of private data, or access to an app's protected components.

But despite Google offering to pay for bugs in non-Google apps, the program never caught on, as security researchers tended to drift towards Google's other bug bounty programs. To date, the GPSRP has only paid security researchers just over $265,000 in bounties, a fraction of the millions of dollars Google has paid through its other bug bounty programs.

Last month, in an attempt to boost participation in the program, Google increased payouts for the aforementioned bugs to $20,000 for RCEs, and $3,000 for the other two.

Furthermore, while initially only a small subset of popular apps was included in the GPSRP (manually selected by Google), starting today, any Android app or game that has passed the 100 million download mark is automatically eligible, making the company's Play Store bug bounty program even more attractive than before.

Google has been repurposing Android app bug reports

In addition, even if at first glance it appears that Google is paying for bug fixes in third-party apps out of its pocket, the company said there's a tangible benefit and a method to its madness.

The Android OS maker said that past vulnerability reports it has been receiving in the previous three years through the GPSRP haven't gone to waste. All bug reports have been cataloged and included in a system that automatically scans other Play Store apps for the same issues.

If other apps are found to be vulnerable to a bug reported via the GPSRP, those app developers receive alerts in their Google Play Console to fix the issues or have their apps removed from the Play Store.

This system, named the App Security Improvement (ASI), has helped Google benefit and maximize the work of security researchers in the GPSRP.

"Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play," Google said.

"In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed."

On a side note, also today, Google announced it was opening a new bug bounty program where security researchers could report cases of Android apps, Chrome extensions, and third-party apps with access to the Google API that stole or misused Google user data. This bug bounty program is inspired by a similar one running at Facebook and Instagram.