Google bug bounty- Google’s going to throw more bug bounty money at the problem of nasty apps in its Play Store, it announced on Thursday.
In a post from the Android Security & Privacy team’s Adam Bacchus, Sebastian Porst, and Patrick Mutchler , the company said that it’s throwing the security net over not just its own apps, but over all uber-popular third-party software – as in, apps that have more than 100 million installs.
Money from the enlarged pot in the GPSRP will go to hunters who find bugs in apps from Android app makers even if those makers are running their own bug bounty programs.
Google is encouraging app makers that don’t yet have bug bounty programs to start them up. If a given app developer doesn’t have a bug bounty program yet, though, Google will be helping bug hunters to responsibly disclose identified vulnerabilities to them.
Google’s sweetening of the pot should help stamp out all that many more bugs, the company said, though it would be nice if the app developers set up these programs themselves:
This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.
In July 2019, Google announced that it was tripling the maximum baseline reward amount from $5,000 to $15,000 for Chrome bugs, and doubling the maximum reward amount for high-quality reports from $15,000 to $30,000. It also doubled the additional bonus given to bugs found by fuzzers running under its Chrome Fuzzer Program to $1,000.
It also pumped up its standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode.
At that time, Google said that rewards paid out under its Google Play Security Reward Program for remote code execution bugs was going way up: from $5,000 to $20,000. At the same time, rewards for bugs involving theft of insecure private data was increased from $1,000 to $3,000, and payment for bugs enabling access to protected app components was pushed from $1,000 to $3,000.
It’s all adding up: Google says that to date, GPSRP has paid out over $265,000 in bounties. Increasing the scope has resulted in $75,500 in rewards across July and August alone, Google says, and the more it adds, the more it expects the security research community is going to help it stamp out bugs.