Google Play is working with the independent bug bounty platform, and the developers of popular Android apps to implement the Google Play Security Reward Program. Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model.
The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem. To find out about other Android security initiatives, visit the Android Security Center.
How does it work?
At a high level, the process will look like this:
- Hacker identifies vulnerability in an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure process.
- App developer works with the hacker to resolve the vulnerability.
- Once the vulnerability has been resolved, the hacker requests a reward from the Google Play Security Reward Program.
- Android Security team issues an additional reward to the hacker to thank them for improving security within the Google Play ecosystem.
Rules :
- All vulnerabilities must always be reported directly to the app developer first. This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer.
- Only developers who have expressed a commitment to fixing bugs which are disclosed to them have been invited to the program. It is the responsibility of each developer to respond and fix bugs in a timely manner.
- Please provide detailed reports with the requested information in the submit report form. Reports not containing the required information and that do not meet the criteria for this program will not be eligible for a reward.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue reported to same developer will be awarded one reward
- We aim to be fair; all reward amounts are at our discretion.
Vulnerability Criteria :
For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.
This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:
- Attacker gaining full control, meaning code can be downloaded from the network and executed (download and execute arbitrary code, native, Java code etc. Javascript)
- UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
- Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.
There is no requirement that OS sandbox needs to be bypassed.
Any vulnerability that requires collusion between apps, or where there is a dependency for another app to be installed is considered to be out of scope, and thus will not qualify for a reward.
Scope of winning :
All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer.
Additionally, only issues that have been patched within the last 90 days will qualify. If you wait longer than 90 days from a fix being made publicly available, your report will not qualify!
All Google-developed Android apps available on Google Play are in scope. Please report vulnerabilities in Google apps to the Google Vulnerability Reward Program or, for Chrome specifically, to the Chrome Reward Program. There is no need to submit vulnerabilities again to the Google Play Security Reward Program for the additional reward.
issues identified in the following apps also qualify for the program. After the developer has resolved the vulnerability, submit it to the Play Security Reward Program to be considered for the bug bounty:
| Organization/Developer | Package Name | Submit vulnerabilities to: |
|---|---|---|
| Alibaba | com.alibaba.aliexpresshd | https://security.alibaba.com/en/ |
| Dropbox | com.dropbox.android, com.dropbox.paper | https://hackerone.com/dropbox |
| Duolingo | com.duolingo | https://hackerone.com/duolingo |
| Headspace | com.getsomeheadspace.android | https://hackerone.com/headspace |
| Line | jp.naver.line.android | https://bugbounty.linecorp.com/ |
| Mail.Ru | ru.mail.cloud, ru.mail.auth.totp, ru.mail.mailapp, com.my.mail, ru.mail.calendar | https://hackerone.com/mailru |
| Snapchat | com.snapchat.android | https://hackerone.com/snapchat |
| Tinder | com.tinder | https://www.gotinder.com/security |
Over time, additional apps may come into scope, so please check back regularly. Only the apps listed above have opted-in to the Play Security Rewards Program and are eligible for rewards. Please do not submit issues for any apps not listed above.
Rewards :
The Play Security Rewards Program will evaluate each submission based on the above Vulnerability Criteria and reward accordingly. A reward of $1000 will be rewarded for issues that meet this criteria. Any and all reward decisions are ultimately at the discretion of the Google Play Security Rewards Program.
In the future, other vulnerabilities may be introduced into scope.
No comments:
Post a Comment