The Daily Swig Web security digest

Google implements Play Store bug bounty

James Walker | 23 October 2017 at 13:00

‘Security reward’ program encourages techies to find flaws in key apps.

In an effort to further improve software security for the benefit of developers and users, Google has implemented a bug bounty program for certain Android apps available through the Play Store.

In partnership with HackerOne, the Mountain View tech giant said it would offer a $1,000 reward to anyone exposing vulnerabilities in key apps available on the Play Store, including Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder, along with all Google-developed apps.

The scope of the program is limited to RCE vulnerabilities that work on Android 4.4 devices and higher. Examples include: forcing an app to download/execute arbitrary code, UI manipulation to commit transactions, or automatic opening of webview that may lead to phishing attacks.

While the bug bounty program currently applies to the above apps only, Google said the initiative may well be extended to include other apps over time.

Head to the Google Play bug bounty page on Hackerone for full details.