Google launches bounty program to spot misuses of Google API, Chrome, and Android user data

Google follows Facebook's steps and launches program to spot app devs stealing or misusing Google user data.
Written by Catalin Cimpanu, Contributor

Google announced today a new bug bounty program through which security researchers can report cases of abuse where third-party apps are stealing or misusing Google user data.

The new bounty program is named the Developer Data Protection Reward Program (DDPRP), and security researchers can report cases of potential data abuse in third-party apps that have access to the Google API, in Android apps listed on the Play Store, and in Chrome apps and extensions listed on the Chrome Web Store.

"The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse," Google said today.

"In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent."

Reports of Google user data abuse can be filed via the DDPRP page on HackerOne, a bug bounty platform where Google runs some of its bounty programs. Google will investigate any cases of abuse and suspend offending apps.

Security researchers who file valid data abuse reports are eligible for rewards of up to $50,000, Google said.

Following Facebook's lead

Google's new initiative is similar to bounty programs announced by Facebook and Instagram in previous years.

In April 2018, following the Cambridge Analytica scandal, Facebook announced it would pay security researchers to track down similar apps that secretly collected and misused Facebook users' data.

Earlier this month, Facebook expanded the same program to include Instagram apps after an Instagram advertiser named Hyp3r had secretly scraped profiles and stored information on Instagram users outside Facebook's more secure servers.

Google hasn't suffered any major user data privacy incident like those at Facebook and Instagram, but the search giant is in a similar position.

Just like Facebook, Google sits on a huge mountain of users' most personal details, and at one point or another, an unscrupulous app dev will decide to siphon some of it for themselves.

Seeing that after its privacy scandals Facebook faced a constant barrage of bad press and regulatory pressure, Google is desperately trying to avoid going through the same issues at all costs, and the DDPRP is a good way of going about it.

Also today, Google announced it was expanding its Play Store bug bounty program to include any Android app that had over 100 million user installs. This means that starting today, security researchers can report vulnerabilities in these apps to Google, and the Android OS maker will provide monetary rewards for valid bug reports, even if those apps don't have their own bug bounty programs.

HackerOne's top 20 public bug bounty programs

Editorial standards