After a number of malware and malicious apps were found making their way through Google’s security systems, Google introduced Google Play Protect to ensure that this gets reduced. However, malware were still making their way past the security mechanisms. Google is now relying upon security researchers to help them out with the Google Play Security Rewards Program. The Google Play Security Rewards Program is being introduced in collaboration with HackerOne – a bug bounty platform. The aim of the program is to incentivize security research towards popular Android Apps on the Google Play Store which will help ensure that the users remain protected.
Google noted that other similar bounty based programs have been quite successful in the past. As of now, the scope of this program is limited to vulnerabilities which are based on remote control execution (RCE attacks) on Android 4.4 or higher. RCE attacks are those attacks where a malware can run a code on a device without the permission of the user. HackerOne explains how this program works:
The process starts with the security researcher (hacker) identifying a vulnerability in an app on the Google Play Store. The hacker has to report this vulnerability directly to the app developer via the vulnerability disclosure process. The hacker then collaborates with the app developer to help them fix the vulnerability in their app. Following the resolution of the vulnerability, the hacker is now eligible to request a reward from the Google Play Security Rewards Program. The Android Security Team rewards the hacker.
Source: HackerOne
