Google is expanding its bug bounty series launching the new Developer Data Protection Reward Program (DDPRP) and expanding the scope of the Google Play Security Reward Program (GPSRP).
The DDPRP will operate in conjunction with HackerOne to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. The program’s goal is to identify situations where user data is being illegally used or sold, or repurposed in an illegitimate way without user consent. The offending app or Chrome extension will then be removed and the finder will be rewarded with the top-end bounty hitting $50,000.
GPSRP will now cover all apps in Google Play that have recorded more than 100 million downloads. Google will help responsibly disclose and then reward bug hunters for flaws found in these apps even if the original developer does not have a bounty program. If the app developer does have its own program the hunter can take home both rewards.
“This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google,” Google reported.
So far, GPSRP has paid out over $265,000 in bounties.