Google, despite having stringent security in place to filter malware-ridden apps entering the Play store, still continues to fail in detecting in some instances. Just a few days back, Symantec Security had detected eight apps containing malicious sockbot in Play store, with an install base ranging from 600,000 to 2.6 million devices.
Now, the search engine giant has stepped up its war on malware and collaborated with globally acclaimed bug bounty platform HackerOne to start Google Play Security Reward Program. Senior experts to budding ethical white hat hackers can join the campaign to detect future cyber threats, particularly related to mobile apps on its Play store.
Also read: North Korea behind deadly WannaCry ransomware attack: Microsoft
"Today, we're introducing the Google Play Security Reward Program to incentivize security research into popular Android apps available on Google Play. Through our collaboration with independent bug bounty platform, HackerOne, we'll enable security researchers to submit an eligible vulnerability to participating developers, who are listed in the program rules. After the vulnerability is addressed, the eligible researcher submits a report to the Play Security Reward Program to receive a monetary reward from Google Play," the company said in a statement.
Here's how Google Play Security Reward Program works:
- If the hacker identifies a vulnerability in an in-scope app, he/she should first directly report it to the app's developer via their current vulnerability disclosure process.
- If the threat is real, the App developer is obliged to work with the hacker to resolve the vulnerability.
- Once the vulnerability has been resolved, only then the hacker can request a reward from the Google Play Security Reward Program.
- As of now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of Concepts) that work on Android 4.4 devices and higher.
- If Android Security team finds the contribution significantly improves the security of Google Play ecosystem, they will grant additional reward to the hacker.
- Depending on the severity of the threat/bug detected, participants can claim up to $1000 (€846.20/Rs 65,030) from Google Play Security Reward Program.
Google Play Security Reward Program Guidelines
- All vulnerabilities must always be reported directly to the app developer first. This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer.
- Only developers who have expressed a commitment to fixing bugs which are disclosed to them have been invited to the program. It is the responsibility of each developer to respond and fix bugs in a timely manner.
- Follow HackerOne's disclosure guidelines.
- Hackers are required provide detailed reports with the requested information in the submit report form. Reports not containing the required information and that do not meet the criteria for this program will not be eligible for a reward.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue reported to the same developer will be awarded one reward
- Google holds the right to decide the cash amount to hackers.
- Interested participants can register at HackerOne (HERE).
Note: Participants residing in US sanctioned countries such as Crimea, Sudan, Syria, Cuba, Iran and North Korea) are not eligible for this program.