Google has long maintained various reward programs for its own apps and services like Chrome and Android. However, most independent developers can’t afford to run a similar program. Today, Google is stepping in to support Android app security with the Google Play Security Rewards Program. It’s like Google’s bug bounties, but for third-party apps.
Under the program, security researchers will be encouraged to hunt for vulnerabilities in popular Android apps on the Play Store. They can submit bigs to developers via the HackerOne bounty platform. If the flaw is confirmed and fixed by the developer, Google will pay a $1,000 reward to whoever found it. The developer isn’t on the hook for anything. Not all apps are included in the program. For now, it’s just select developers that have worked with Google to set this up including Dropbox, Snapchat, and Tinder. Going forward, more apps will be added, provided the developers can commit to fixing bugs as they are reported.
According to the full rules, the Google Play Security Rewards Program is currently limited to remote code execution vulnerabilities. So, pretty severe stuff. However, the flaw does not need to bypass the OS sandbox. You can see the full list of included apps on the HackerOne page.