Any Android app with 100m+ installs now in bug bounty program

Google is willing to compensate cybersecurity researchers for their efforts to identify and report any vulnerabilities they can find in Android apps with 100m+ installs. This is a great opportunity – if you’ve got the right skills, that is.

To simplify the process, there is no need to register. Just post your findings on the HackerOne platform and Google will do the rest. Upon notification, if the developer fails to address the issues, Google will remove their app from the app store.

As a cybersecurity researcher, you could potentially be paid double, both under the Google Play Security Reward Program (GPSRP) as well as the company’s private bug bounty program (but make sure to submit twice).

To this date, GPSRP has paid out $265,000 in rewards. To motivate more people to try their hand at it, Google has decided to up the stakes.

In any case, if vulnerabilities are identified via the GPSRP, the developers of these apps are immediately notified through the Google Play Console and prompted to address the problem. Should they fail to respond in due time, Google automatically removes their app from the ecosystem.

According to Google, more than 300,000 developers have been able to fix in excess of 1,000,000 apps this way through the system that’s referred to as App Security Improvement (ASI). During the last year alone, 30,000 developers were able to fix 75,000 apps. Of course, the downstream effect ensures that these apps are not distributed until the specified issues are fixed.