Google expands its bug bounty program to include third-party Android apps

Google now offers rewards for vulnerabilities found and resolved in certain apps, including Dropbox, Duolingo, and Snapchat.

5 reasons to start a bug bounty program

Bug bounty programs are often offered by companies to solicit assistance from the public in finding flaws, vulnerabilities or other design problems within applications.

For some time now Google has offered a standard bug bounty program for proprietary apps. On October 19th, the company announced that they have expanded the program to apply to security vulnerabilities or possible viruses in specific third-party apps on the Play Store, including the following:

  • Alibaba
  • Dropbox
  • Duolingo
  • Headspace
  • Line
  • Mail.Ru
  • Pandora
  • Snapchat
  • Tinder

Google will pay $1,000 for each verified and resolved software vulnerability, which at this time only includes remote-code-execution vulnerabilities and proof of concepts that run on Android 4.4 KitKat or higher. Specifically, the vulnerabilities must be based on one of the following conditions:

The vulnerability allows an attacker to run code on a user's device without the user's knowledge or permission, take over a device entirely by gaining full control, committing transactions by manipulating the user interface, or using the Android webview function without user input. There is no requirement that the OS sandbox has to be bypassed for a vulnerability to count here, but any vulnerability that depends on other app interaction or installation will not qualify under this program.

In order to qualify for the reward, the vulnerability must be reported directly to the app developer via their current vulnerability disclosure process. This link contains details on how and where to submit bugs found in the third-party products listed above.

The app developer must then work with you to resolve the vulnerability, at which point you can request a reward via the Google Play Security Reward Program. Only vulnerabilities resolved within the past 90 days will be eligible for a reward, and detailed information about the vulnerability should be submitted to provide as much data as possible about the bug and it's corresponding fix.

The reward program works on a "first come first served" basis whereby if the same fix is developed by two different individuals working separately from one another, the person who requests the reward first will receive the bounty after a confirmed resolution. Only one reward will be paid out if more than one vulnerability was caused by a single issue. Individuals are expected to comply with any and all existing laws and to not compromise information owned by others.

Finally, individuals on US sanctions lists, or located in countries which are on US sanctions lists (Iran, North Korea, and Syria are a few examples) are not eligible for the rewards, nor are individuals employed by Google or their partner companies whose occupations involve programming code for any devices which fall under this program.

"This is definitely a step in the right direction for Google," said Chris Olson, CEO of security firm The Media Trust. "Using a limited bug bounty program is an interesting approach to dealing with the increasing levels of malware and other security concerns found on third-party apps."

Olson also said that a bug bounty should not be viewed as a substitute for a comprehensive security program, and that the onus should still fall on app developers to resolve security issues as quickly as possible, and on Google to vet apps in its store.

Also see

Image: iStock/cskorik

By Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.