A well-known proverb says: “better late than never”. This is exactly the case with GOOGL’s latest decision.

As you may know, a variety of malware and “problem” applications are found in the official directory of Google Play. Apparently, neither automated control systems nor manual checks are able to eradicate malware. Google finally decided to take the first step toward recognizing this obvious problem and announced the launch of the Play Security Reward Program, which should benefit developers, users and, in general, make the Android ecosystem healthier.

The Bug bounty initiative, which has traditionally been placed on HackerOne, will not be directed to Google’s own applications, but to third-party applications. At the same time, Google will pay rewards for detected bugs in not application authors. Currently, the company is ready to offer researchers a very modest encouragement – up to $ 1,000 for a vulnerability.

So far only 13 applications of 8 developers are participating in the Play Security Reward Program: Alibaba, Dropbox, Dulingo, Headspace, Line, Mail.ru, Snapchat and Tinder, but in the future this list is expected to expand. In case of a vulnerability was detected in one of the target products, Google developers promise to independently check all other programs on Google Play for this bug and, if necessary, to notify developers of the problem.

Now Google is only interested in RCE vulnerabilities and proof-of-concept exploits for them, aimed at devices running Android 4.4 and higher. Adware, fake applications and outright malware under the terms of the program are not yet covered.

Leave a Reply

Your email address will not be published.