Google is offering white hat hackers up to USD 1000 to take part in bug hunting. The offer applies to the most popular applications in the Play Store, as well as their own apps.
To join the program, a white hat hacker finds an exploit and demonstrates the vulnerability. Only Remote Code Execution (RCE) vulnerabilities that work on Android 4.4 and higher are part included. To qualify, the hacker will have to work with the developer to resolve the risk within 90 days. And in the process, Google is not included.
At a high level, the process will look like this:
- Hacker identifies a vulnerability in an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure process.
- App developer works with the hacker to resolve the vulnerability.
- Once the vulnerability has been resolved, the hacker requests a reward from the Google Play Security Reward Program.
- Android Security team issues an additional reward to the hacker to thank them for improving security within the Google Play ecosystem.
Google has decided not to run the program. Instead, Hacker One is running the program. Google went so far as to ‘not want to know the details of the exploits’. The hunter works together with the developer to provide a fix. Only then will they apply for a reward in the Google Play Store. To sweeten the deal, the hacker can still receive more bounty from the developers. Of course, that applies to developers offering bounty programs.
For now, Google has limited the programme only to a few applications in the store. The full list of applications, currently, is Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat and Tinder. This list is augmented by all the Android applications Google develops in-house. This pushes the list by a margin.
Check out the rules of the competition over at Hacker One
Source: Google Blog