[ad_1]
Google
Today, Google has expanded its anti-bug program to include any Android app listed on the Play Store that has more than 100 million installed installations.
That means that from today, security researchers can report the vulnerabilities of these applications to Google, and the manufacturer of the Android operating system will provide monetary rewards for the reports. valid bugs.
All Android + 100m apps are a fair game now
All of the Android apps listed on the Play Store with over 100 million installations are eligible, and app developers do not have to sign up or do anything else.
Google will sort all bug reports through its Security Reward Security (GPSRP) program on the Google Play HackerOne platform, and then escalate vulnerabilities to application developers. If apps do not handle bugs, Google will remove them from the Play Store.
Application developers such as Facebook, Microsoft or Twitter, who have their own private bug bonus programs, are not excluded from the GPSRP.
Google said that app developers could submit the same bug reports via the GPSRP, then on the private bug bonus programs of those companies, and receive a reward twice for the same bug.
Google recently increased the application bugs rewards
Google launched the GPSRP in 2017. In the first three years of the program, bug hunters could earn up to $ 5,000 for remote code execution bugs, or up to $ 5,000. $ 1,000 for bugs resulting in the theft of private data or access to protected components of an application.
However, despite the fact that Google offers to pay for bugs in non-Google applications, the program has never been retained, as security researchers tend to move towards other Google bug bonus programs. To date, the GPSRP has paid security researchers only a little over $ 265,000 in premiums, a fraction of the millions of dollars paid by Google through its other programs. bug bonuses.
Last month, in an effort to increase participation in the program, Google increased payments for the aforementioned bugs to $ 20,000 for the NCEs and $ 3,000 for the other two.
In addition, while initially only a small subset of popular applications was included in the GPSRP (manually selected by Google), from today, any application or game Android exceeding 100 million downloads is automatically eligible, making it a bug bonus for the company's Play Store. program even more attractive than before.
Google has reused Android application bug reports
In addition, even if, at first glance, it seems that Google pays for the bug fixes in third-party applications, the company said that there was a tangible advantage and a method for his folly.
The Android OS maker said the previous vulnerability reports it received over the last three years via the GPSRP were not lost. All bug reports have been cataloged and included in a system that automatically scans other apps in the Play Store for the same issues.
If other apps are vulnerable to a reported bug through the GPSRP, these developers receive alerts in their Google Play console to fix issues or to have their apps removed from the Play Store.
This system, called Enhancing Application Security (ASI), helped Google to leverage and maximize the work of security researchers in the GPSRP.
"During his lifetime, ASI has helped more than 300,000 developers repair more than 1,000,000 apps on Google Play," said Google.
"In 2018 alone, the program has helped more than 30,000 developers repair more than 75,000 applications.The downstream effect means that these 75,000 vulnerable applications are not distributed to users until they reach the end of the day." the problem is solved. "
In addition, Google also announced today the opening of a new bug bonus program that allows security researchers to report incidents related to Android apps, Chrome extensions, and third-party apps that have access to the API. Google who stole or misused Google user data. This bug bonus program is inspired by a similar program running on Facebook and Instagram.
[ad_2]
Source link