New Google bug bounty allows reporting the abuses of Google API, Chrome, and Android user data

Pierluigi Paganini September 01, 2019

Recently, Google announced a new bug bounty program for experts that can report the abuses of Google API, Chrome, and Android user data.

Google announced the Developer Data Protection Reward Program (DDPRP), a new bounty program aimed at security experts that discover data abuse issues in popular Android applications, OAuth projects, and Chrome extensions. 

Researchers could report cases of data abuse in third-party apps that have access to the Google API, in Android apps listed on the Play Store, and in Chrome apps and extensions listed on the Chrome Web Store.

“It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.” reads the announcement published by Google.

“The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.”

The bug bounty program is operated via the HackerOne platform.

Google will analyze every single case reported by the researchers and will offer rewards of up to $50,000 for effective abuses.

“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store.” concludes Google. “In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.”

Google also announced it will expand its Play Store bug bounty program to include any Android app in the official store that had over 100 million user installs. In this case, the tech giant will relay the vulnerabilities to app developers and if they will not able to address the issues, Google will remove them from the Play Store.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – bug bounty, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment