Friday, October 20

Google launches bug bounty program for Third-Party Mobile Apps

Google launches bug bounty program for Third-Party Mobile Apps

Google is offering security experts a bounty to identify Android app flaws as the Alphabet Inc unit seeks to wipe out bugs from its Google Play store. At the outset, bug-hunters will work directly with developers of popular apps through the HackerOne platform and are in line for $1,000 rewards for security issues reported through the program.

Under the program, security researchers will be encouraged to hunt for vulnerabilities in popular Android apps on the Play Store. They can submit bugs to developers via the HackerOne bounty platform. If the flaw is confirmed and fixed by the developer, Google will pay a $1,000 reward to whoever found it. Each flaw will score at least $1,000 under the programme announced to back up automated checks that have failed to block malware and other problems that security experts say infect the 8-year-old app store.

Google said in announcing the program today. “The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.”

Google did not reveal the funding for its program but said it would start small. Google also has long maintained various reward programs for its own apps and services like Chrome and Android. Google’s bug bounty program for its Android mobile operating system, launched in June 2015, doled out $1.5 million for hundreds of vulnerability reports over its first two years.

Google has also responded with security tools for Android in addition to the bounty. In May, it introduced Google Play Protect, which scans previously downloaded apps to determine whether they’ve been updated with malicious code. This helps secure apps obtained not only from Google Play but also from third-party stores that aren’t subject to Google’s Verify Apps scanner. Google Play Protect is also a cornerstone security measure in Android 8.0, known as Oreo.