Google offers $1000 to find bugs in Android apps


San Francisco, Oct 20 (IANS): Google has launched a new bug bounty programme for security experts where the company will pay $1,000 for finding security flaws in Android apps and then reporting it to Google researchers.

"The Google Play Security Reward Programme recognises the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure," the tech giant said on its website late on Thursday.

All Google's apps are included and developers of popular Android apps are invited to opt-in to the programme being run in partnership with HackerOne.

"Through the programme, we will further improve app security which will benefit developers, Android users and the entire Google Play ecosystem," the company said.

For now, the scope is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.

"This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user's device without user knowledge or permission," Google said.

This is how it works.

Researcher identifies vulnerability within an in-scope app and reports it directly to the app's developer via their current vulnerability disclosure or bug bounty process.

App developer then works with the researcher to resolve the vulnerability.

Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security.

"The programme will evaluate each submission based on the vulnerability criteria. A reward of $1,000 will be rewarded for issues that meet this criteria," Google said.

"We are unable to issue rewards to individuals who are on US sanctions lists or who are in countries (Crimea, Cuba, Iran, North Korea, Sudan and Syria)," it added.

  

Top Stories


Leave a Comment

Title: Google offers $1000 to find bugs in Android apps



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.