Google has launched a new bug bounty programme offering white hat hackers and security experts rewards of $1,000 (£761) and more to find vulnerabilities in some of its most popular Android apps. Launched in partnership with HackerOne, a Silicon Valley-based bug bounty management platform, the Google Play Security Reward Program encourages researchers to scour for bugs in select popular apps created by Google as well as third-party developers,
Researchers must report the vulnerability to the Android app's developers and work with them to fix the flaw. Once resolved, the hacker can then request the reward from Google.
The bug bounty programme, however, is not open to everyone.
"Only developers who have expressed a commitment to fixing bugs which are disclosed to them have been invited to the programme," Google's post on HackerOne reads.
The programme currently covers remote code execution (RCE) vulnerabilities and corresponding proof of concepts (POCs) that work on Android 4.4 devices and higher.
Possible vulnerabilities include those that would allow an attacker to gain full control of an Android device, manipulate a user interface to trigger or hijack a transaction or the ability to open a web view that could lead to a phishing attack.
"There is no requirement that OS sandbox needs to be bypassed," Google said. "Any vulnerability that requires collusion between apps, or where there is a dependency for another app to be installed is considered to be out of scope, and thus will not qualify for a reward."
The programme currently includes select Android apps such as Alibaba, Dropbox, Duolingo, Headspae, LINE, Snapchat and Tinder as well as "all Google-developed Android apps available on Google Play." The company said more apps may be added in the future.
"At Google, we have long enjoyed a close relationship with the security research community," Vineet Buch, director of product management for Google Play said in a blog post. "The programme will help us find vulnerabilities and notify developers via security recommendations on how to fix them. We hope to bring the success we have with our other reward programmes, and we invite developers and the research community to work together with us on proactively improving Google Play ecosystem's security."
According to F-Secure, more than 99% of all malware designed for malware devices targets Android due to its "relatively open system" of app distribution as compared to Apple's iOS App Store's stringent "walled garden" approach.
Google's larger Vulnerability Rewards bug bounty programme, which includes Chrome and Android, paid researchers more than $9m since its launch in 2010 and over $3m in rewards in 2016.