Many times in 2017, I have reported on the constant threat of malware in vetted Google Play Store apps. These apps have been linked to malicious actors and also innocent companies that saw their applications infected unbeknownst to them. As a result of this massive increase in infected applications post-vetting, cybersecurity professionals like myself have been reluctant to recommend the Google Play Store until they found solutions. It appears our concerns have been heeded, as a Google Play bug bounty program as been announced with hopes of restoring trust in Google’s app distribution service.
Teaming up with HackerOne, which is already handling many other high-profile clients, Google has established a bug bounty program. Per the HackerOne announcement of the program, Google seeks “RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher... this translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission.”
The guidelines of the program require that Google Play bug bounty participants report all vulnerabilities to the app developers first. Additionally, participants are not allowed to submit any bug reports until the respective app developers have resolved the issues. The rules for the bug bounty program also include a 90-day time limit for reporting bugs to the Play Security Program once they have been patched.
If the requirements for the Play Security Program are met, participants who find vulnerabilities can net $1,000. There are some stipulations as to who can participate in the Google Play bug bounty program, some of it relating to geopolitical nonsense. Individuals from nations that are on the U.S. sanction list (the announcement lists Cuba, Iran, North Korea, Sudan, and Syria as examples) are prohibited from partaking. Additionally, as there is a potential conflict of interest, Google employees and individuals who work for Google Partner companies that “develop code for devices covered by this program” are also barred from entering the program.
Photo credit: Pixabay