Android figurine next to lamp

Photo via Visual Content/Flickr (CC-BY)

Google expands bug bounty program to include 3rd-party Google Play apps

Bug finders can be paid $1,000 if the vulnerability meets the right criteria.


Christina Bonnington


Published Oct 24, 2017   Updated May 22, 2021, 1:25 pm CDT

Despite Google’s best efforts, time and again, malware keeps making its way into the Google Play Store.

Featured Video Hide

Last year, Android users downloaded a malicious Pokémon Go guide app half a million times before Google removed it from the store. Just last month, another massive malware campaign was uncovered. While Google has offered a bug bounty program since 2010, the search giant is now expanding its bug-finding efforts. It will include third-party apps in the Play Store, too.

Advertisement Hide

The new Google Play Security Reward Program pays researchers up to $1,000 for discovering bugs in popular Google Play Store apps. Google Play is working with bug bounty platform Hacker One on the program.

It works like this: If a hacker finds a bug in an app participating in the opt-in program, they’ll report it through the app’s vulnerability disclosure process. Then, the app and hacker work together to find a solution to the bug over the next 90 days. Once resolved, the hacker can reach out to the Google Play Security Reward Program and request the bounty. The Android Security team will then pay the hacker as a thanks for improving overall Google Play Store security.

Hackers (and app developers) must abide by some additional rules and stipulations, as well. (For example, if a hacker reports multiple vulnerabilities, but they’re all caused by the same issue, Google will only reward them for the one underlying issue.) The program also only includes a couple specific kind of vulnerabilities: RCE (remote-code-execution) vulnerabilities and corresponding POCs (proof of concepts). These must work on Android 4.4 devices or higher.

The program description also repeatedly stresses the importance of researchers reaching out to the app developer first. As they’d be finding bugs within apps themselves, Google can’t really do anything about fixing those issues. The bug bounty program depends on developers to fix those vulnerabilities.

Advertisement Hide

Considering Google’s continued struggles to keep malware out of the Play Store, this new bounty program sounds like a good idea. At the moment, Alibaba, Dropbox, Duolingo, Headspace, Line,, Snapchat, and Tinder are the only apps participating in the program, but that list is sure to expand.

H/T The Verge

Share this article
*First Published: Oct 24, 2017, 11:42 am CDT