Since the launch of the bug bounty program in 2010, Google has paid more than $15 million in awards to security researchers. Today, the tech giant announced plans to further expand the Google Google Play Security Reward Program (GPSRP) to include hundreds of millions of Android apps. At the same time, Google partnered with HackerOne to launch the Developer Data Protection Reward Program (DDPRP) project to reward for finding data abuse in Android apps, OAuth projects, and Chrome extensions.
Google believes that the bug bounty program is a powerful complement to its internal security program that motivates individuals and security research organizations to help them find defects and properly disclose them, rather than selling them or using them in the black market.
To date, the Google Play Security Reward Program (GPSRP) has paid more than $265,000 in prize money to security researchers. As the project covers more popular apps, Google is expected to come up with more budgets in the future. At the same time, Google is working hard to improve the technical capabilities of automated screening vulnerabilities and find similar vulnerabilities for all apps in Google Play. If an app developer is affected, you can receive a notification via the Play Console.
Google’s App Security Improvement (ASI) project can provide developers with information about the vulnerability and its repair methods. In February of this year, Google revealed that the ASI project has helped more than 300,000 developers and fixed more than 1 million apps on Google Play.
The Developer Data Protection Reward Program (DDPRP) is designed to identify and mitigate data abuse issues for Android apps, OAuth projects, and Chrome extensions. If the researcher can verify the explicit data misuse, Google will pay a certain amount of compensation according to the DDPRP reward scheme, because the company is particularly concerned about the user data being used or sold, up to a maximum of $50,000 bounty.