Google has officially announced that it is expanding its bug bounty rewards program. Researchers will now be able to earn money by detecting misuse of users’ data, as well as finding vulnerabilities in any Android applications with more than 100 million installations.
The first innovation will be the DDPRP program, in which information security specialists will be able to report abuse of users’ data. Such problems can be found in third-party applications that have access to the Google API, in Android applications from the Google Play Store, as well as in applications and extensions from the Chrome Web Store.“The goal of this program is to encourage anyone who can provide reliable and unambiguous evidence of data abuse. In particular, this program is aimed at identifying situations where user data is unexpectedly used or sold, as well as illegally reused without the consent of the user”, — say Google representatives.
Information security professionals who detect cases of data abuse are entitled to a reward of up to $50,000.
In this case, Google follows the example of Facebook. In April 2018, after a scandal involving Cambridge Analytica and user data abuse, the social network updated the bug bounty program so that people who find so-called data abuse in a third-party application can receive a reward of up to $40,000.
Recall that earlier this month Facebook expanded the program on Instagram after another unpleasant incident involving Hyp3r. The fact is that at the beginning of August 2019 Instagram advertising partner, Hyp3r, was convicted of collecting user data for subsequent compilation of advertising profiles. Hyp3r secretly collected and stored millions of user stories, images, geolocation data, biographies, interests and so on. As a result, Facebook blocked Hyp3r for violating the rules of the platform.
Another interesting announcement from Google is a reward program for any errors found in large applications from the Google Play Store. Now researchers will be able to search for vulnerabilities in any applications whose installation counter has exceeded 100 million, and report problems to Google. In this case, the developers of such applications do not have to specifically register somewhere or take some other steps.
Vulnerability reports will be received through the Google Play Security Reward (GPSRP) on the HackerOne platform, and then reports will be transmitted to application developers. If they fail to resolve the identified errors, Google will exclude applications from the Play Store.
Interestingly, major developers such as Facebook, Microsoft or Twitter, who have their own bug bounty programs, are not excluded from GPSRP. Moreover, Google claims that researchers can report errors twice: via GPSRP and directly through the bug bounty programs of the companies themselves, thus earning rewards twice.
Read also: Researchers found on Google Play ad dropper that was downloaded more than 100 million times
Although at first glance it seems that Google pays for fixing bugs in third-party applications from its own money and this does not make sense, the company explains that it is actually convenient and profitable. The fact is that GPSRP was launched back in 2017, but did not have much popularity: for all time, Google paid researchers only $265,000 in fees, although the program already included a number of popular applications (manually selected by Google).
Google explains that all vulnerability reports received over the past three years were not in vain. All error reports have been cataloged and included in a system that automatically scans applications on the Google Play Store in search of similar problems. If a bug is detected, the developers of the vulnerable application receive a warning through the Google Play Console and have the opportunity to fix the problem, or their applications are removed from the directory. This system is called App Security Improvement (ASI), and according to the company, it has already helped 300,000 developers fix more than 1,000,000 applications on Google Play.