News

Google launches bug bounty program for Android apps including Dropbox and Tinder

By admin
Spread the love

Google has set up the Google Play Security Reward Program on HackerOne. Developers of popular apps can sign up and Google rewards vulnerabilities finders. Hackers get a thousand dollars and an extra reward from the Android Security team.

Currently, eight apps are part of the new bug bounty program. These are Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat and Tinder. More apps may be added over time, Google says. App developers need to sign up with Google for that. Only popular apps are eligible.

In order to collect a bug bounty, hackers must first report the vulnerability to the maker of the app in question. Then the app developer will work with the hacker to fix the vulnerability. Once that is done, the hacker can report his invention to the Google Play Security Reward Program.

Within the program on HackerOne, Google is offering a prize of one thousand dollars per vulnerability found, provided it meets the set criteria. That amount could rise, because in the description, Google reports that the Android Security team gives an additional reward to “thank you for improving security in the Google Play ecosystem”. Google does not disclose exactly what that addition entails.

The reward from the Google Play Security Reward program is in addition to the reward hackers get for reporting the vulnerability to the developer of the app itself. Many of the participating apps also have their own bug bounty program on HackerOne.

For now, only rce vulnerabilities are eligible and hackers must show a proof of concept that works on Android 4.4 or newer. Hackers should be able to run code on the victim’s device via the vulnerability in the app without the user noticing or having to give permission. Google reports that other vulnerabilities may also be considered in the future.

The Google Play Rewards program is separate from the bug bounty program that Google already has for its own apps. Google also emphasizes that hackers should not report vulnerabilities in apps that are not connected via the program.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Zeeland power grid is full, grid operator stops new requests from major consumers

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Brave sells web content as data for AI training