A recent initiative that a number of software companies have embraced is the adoption of bug bounty schemes- in other words, paying security researchers to find vulnerabilities and security flaws with their software, so that it can subsequently be patched. While this may have lead to the decline in iOS jailbreaking, which is something you can read about in more detail here, there's no denying that it has countless benefits for the end user who is subsequently receiving a more secure software package. And today, Google have announced that they will be joining in on the action once more, with the launch of the Google Play Security Rewards Program.
The focus of this programme is the improvement of security of a number of high-profile applications on the Google Play Store, and the subsequent reinforcement of security within the Android operating system. Notably, it is imperative to Google that all apps invited into the program have their own existing coordinated disclosure program. The method of applying for the reward dictates that the discoverer of the vulnerability can claim the reward up to 90 days after the vulnerability is made public by the app's developers (also note that it's likely that these apps have their own bug bounty schemes in place, so the bounty is merely an additional bonus). Upon considering this, the relatively low single payment tier that Google is offering makes more sense; the bug bounty programme currently only has one payment tier, which is $1,000 for remote code execution vulnerabilities that are proven to be present on Android 4.4 or higher and do not require the installation or use of additional applications.
The launch partners for this programme are a series of fairly well-known, high-profile apps on the Google Play Store; Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat, and Tinder. Google has stated that more will be joining if the programme is successful; and we certainly hope it is, as bug-bounty schemes like this work in the favour of the consumer who will subsequently be receiving safer and more secure software. You can read more about it on the programme's HackerOne page.
What do you guys think? Are you a security researcher who will join in on this? How do you think this will impact the Google Play Store as a whole? Let us know in the comments, or post over in the forums with your thoughts.