This article is more than 1 year old

Google takes a little more responsibility for its Android world, will cough up bounties for mega-popular app bugs

Payouts extended to anything with more than 100m installs

Google is expanding its Android bug-bounty program to cover not just holes in the web giant's apps but also vulnerabilities in third-party software – as long as they have more than 100 million installs.

We're told that if an Android application's maker already runs their own bug bounty program, infosec peeps can still claim those prizes from the developers – as well as rewards from the web-search king via its enlarged Google Play Security Reward Program. If an eligible popular app doesn't have its own bug bounty, Google will cough up the cash for any holes reported, and alert the developers to the flaws in their code.

"In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer," Googlers Adam Bacchus, Sebastian Porst, and Patrick Mutchler explained in announcing the expansion. "This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps."

Google is having a hard time keeping Android malware out of its Play Store due to its, in comparison with Apple and its tightly policed iOS store, light-touch regulation of third-party applications. This almost open-door policy has allowed malicious software to sneak in, and be downloaded by millions of unlucky punters. Google's Play Protect system, an AI-powered malware spotter, has had some success in catching software nasties, but clearly not enough, and the system has been panned by testers. There are about 2.5 billion active Android devices out there, according to the Big G.

Google claims it has helped more than 300,000 developers fix flaws in about 1,000,000 apps on Google Play, and has paid out $265,000 in previous Android app bug bounties. Those rewards have now been raised, and Google says it has paid out $75,500 in the past few months alone.

There's money in data too

Google also says it will cough up dosh for reports of bad behavior by apps and their coders: think applications improperly collecting, selling, or otherwise misusing, user and system data.

"If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed," the Googlers noted. "While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty."

This Developer Data Protection Reward Program will be run through HackerOne, which is announcing its own news this week. The bug bounty broker said it has crowned its first crop of millionaire bug hunters.


So you’ve got a zero-day – do you sell to black, grey or white markets?


Hackers Santiago Lopez, Mark Litchfield, Nathaniel Waklemann, Frans Rosen, Ron Chan, and Tommy DeVoss have each surpassed seven figures in bounty payouts via HackerOne. As a whole, HackerOne said it brokered $21m in bug bounty payouts last year, more than double the prior year's total.

In short, it's a good time to be breaking software.

“We predict that hackers will earn $100m by the end of 2020 and, when we reach that milestone, we may very well have 1 million ethical hackers signed up on our platform," said HackerOne CEO Marten Mickos.

"By our estimates, we will have helped our customers find and fix over 200,000 vulnerabilities as more industries than ever are recognizing that an outsider perspective is critical to finding and fixing bugs that, in the wrong hands, could lead to a costly and embarrassing data breach." ®

More about


Send us news

Other stories you might like