News Stay informed about the latest enterprise technology news and product updates.

Google Play bug bounty hunts RCE vulnerabilities

A Google Play bug bounty program, run by Google and HackerOne, asks testers to hunt for remote code execution vulnerabilities in some of the top Android apps.

Google and HackerOne have partnered to start a new Google Play bug bounty program that incentivizes testers to...

find critical vulnerabilities in popular Android apps.

The Google Play Security Reward Program is designed to be complementary to Android bug bounty programs run by developers themselves. The Google Play bug bounty is $1,000 for any qualifying vulnerability, paid as a bonus to any other bounties offered.

To be eligible for the Google Play bug bounty, researchers will need to first submit the vulnerability to the original developer of an app. After the vulnerability has been patched, the researcher can request the reward from the Google Play bug bounty program, which is officially named the Google Play Security Reward Program.

At the start of the program, Google will only pay the bonus for remote code execution (RCE) vulnerabilities and proof-of-concept exploits running on Android version 4.4 KitKat and newer. And, the Google Play bug bounty will only be paid for flaws found in apps from just nine developers, including Dropbox, Line, Snapchat and Google, but more developers are expected to be added over time.

Qualifying RCE flaws must be exploitable through a singular app and cannot depend on vulnerabilities in other apps, and will have had to be patched in the 90 days prior to applying for the Google Play Security Reward Program's reward.

"As the Android ecosystem evolves, we continue to invest in leading-edge ideas to strengthen security," said Vineet Buch, director of product management for Google Play, in the HackerOne announcement. "Our goal is to continue to make Android a safe computing platform by encouraging our app developers and hackers to work together to resolve unknown vulnerabilities; we are one step closer to that goal."

Next Steps

Learn more about bug bounties from Bugcrowd CEO Casey Ellis

Find out how private bug bounty programs compare to public programs.

Get info on how Apple's bug bounty compares to others.

Dig Deeper on Mobile application security best practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of the initiatives by Google to improve Android security?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close