Google Play increases bounties and expands scope for Android apps
In October 2017, Google and HackerOne introduced the Google Play Security Reward Program, the first and only bug bounty program for an app ecosystem. Today, Google is announcing updates to the program, including expanded vulnerability criteria and increased payouts.
5x The Bonuses + New Scope
Bonus rewards for remote code execution vulnerabilities are now $5,000 (previously $1,000), and a new category of in-scope bugs are being added at the $1,000 mark. The new category of bugs includes vulnerabilities that result in theft of private data, including personally identifiable information, as well as other sensitive information that may grant an attacker access to the user’s account.
|Updated vulnerability criteria and reward structure|
|Remote Code Execution||Vulnerabilities that result in theft of private data, including PII or other sensitive information that may grant an attacker access to the user’s account.|
|$5,000 bonus (500% INCREASE)||$1,000 bonus NEW|
Additionally, vulnerabilities that result in sensitive information being transferred unencrypted, or bugs that result in access to protected app components are now in scope. You can find the apps that are opted in at the Google Play Security Reward Program page on HackerOne. As more developers opt-in, more apps will be listed over time.
HackerOne’s customers have already resolved over 60,000 valid security vulnerabilities with help from the world’s largest hacker community. With your help, we will resolve more vulnerabilities and make Android the safest computing platform in the world for its more than 2 billion active devices.
For more details and to get hacking, head over to hackerone.com/googleplay.
-- HackerOne team