While it might sound like shooting fish in a barrel – Google Play is working with HackerOne on a bug bounty program to find vulnerabilities in “in-scope” applications distributed through the Play Store. The number of apps in scope is limited but is expected to expand over time and covers remote-code-execution vulnerabilities and corresponding Proofs of Concept that work on Android 4.4 devices and higher.
For a while now, we’ve known that poorly coded or deliberately vulnerable apps have been distributed through the Play Store. But a number of developers of apps including Alibaba, Dropbox, Duolingo, Headpsace, Line, Mail.Ru, Snapchat and Tinder are looking to the community to help them find dodgy code.
The Play Security Rewards Program will evaluate each submission with rewards of $1000 rewarded for submissions that meet the evaluation criteria.
You can read more about the program at Hackerone.
One of the benefits of bug bounty programs is that hackers that are teetering on the edge of working on illegal causes can be tempted to put their efforts to good use and help the community. The rewards offered in this program are solid and, although the scope is limited, will incentivise some positive action.