Google Expands Bug Bounty Programme To All Apps With Over 100M Installs (venturebeat.com) 2
Long-time Slashdot reader AmiMoJo quotes VentureBeat:
Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today increased the scope of its Google Play Security Reward Program (GPSRP). Security researchers will now be rewarded for finding bugs across all apps in Google Play with 100 million or more installs. At the same time, the company launched the Developer Data Protection Reward Program (DDPRP) in collaboration with [bug bounty platform] HackerOne. That program is for data abuses in Android apps, OAuth projects, and Chrome extensions....
Google also uses this vulnerability data to create automated checks that scan all Google Play apps for similar vulnerabilities. Affected app developers are notified via the Play Console. The App Security Improvement (ASI) program provides them with information on the vulnerability and how to fix it. In February, Google revealed that ASI has helped over 300,000 developers fix over 1,000,000 apps on Google Play.
The article also notes that Android apps and Chrome extensions found to be abusing data "will be removed from Google Play and the Chrome Web Store."
Google also uses this vulnerability data to create automated checks that scan all Google Play apps for similar vulnerabilities. Affected app developers are notified via the Play Console. The App Security Improvement (ASI) program provides them with information on the vulnerability and how to fix it. In February, Google revealed that ASI has helped over 300,000 developers fix over 1,000,000 apps on Google Play.
The article also notes that Android apps and Chrome extensions found to be abusing data "will be removed from Google Play and the Chrome Web Store."
Any bug bounty war stories? (Score:2)
I've thought about doing some amateur security research, but it seems like it'd be hard to actually find anything that you could claim as an original bug. (And then you also have to convince the people who are running the program.)
Re: (Score:3)
Has anyone here ever actually gotten a bug bounty? I've thought about doing some amateur security research, but it seems like it'd be hard to actually find anything that you could claim as an original bug.
It's not so hard. You will have to spend some time at it, learning to reverse APKs (there are good tools, but it still takes a significant amount of knowledge), understanding the Android security model, studying previous vulnerabilities for ideas, then doing the work. But (fortunately or unfortunately, depending on your point of view) there are a lot of bugs to be found. Or if you want to attack the platform rather than the apps, you'll need a different set of reversing and analysis skills. Fuzzing is o