Google has announced the expansion of its Google Play Security Reward Program (GPSRP) and introduced its new Developer Data Protection Reward Program (DDPRP). GPSRP is a bug bounty program focused on Google Play in collaboration with HackerOne. DDPRP is a bounty program for Android, OAuth, and the Chrome Extension ecosystem. In an announcement about its bounty programs, Google reiterated its dedication to collaboration with the developer community when it comes to securing apps and services.
"We're constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support," Adam Bacchus, Sebastian Porst, and Patrick Mutchler of Google's Android Security and Privacy team commented in a blog post announcement. "[W]e understand the strength of open platforms and ecosystems, and that the best ideas don't always come from within."
Specifically, the GPSRP expansion increases the scope of the program. Now, all apps within the Google Play ecosystem with 100+ installs are included under the program. Individual apps do not need to have their own bug bounty program in order for researchers to receive rewards under GPSRP. Google uses reported data to create automated checks across all apps in Google Play. If a particular app is found to be vulnerable, Google notifies the app developer through the App Security Improvement (ASI) program. Additionally, Google has increased rewards under the program.
DDPRP is a bounty program that helps identify and mitigate data abuse across Android apps, OAuth projects, and Chrome extensions. Those who find violations and abuses of the Google Play, Google API, and Google Chrome Web Store Extension API policies can report the violations through the program. Reports need to be verified and unambiguous to warrant a reward under the program. The program is specifically bent to find abuse in situations where data is used or sold in unexpected or illegitimate ways.