Google's Play Store can be a somewhat unsecure place at times, despite the search giant's best efforts, so it has announced an initiative to incentivize white hat hackers to help secure the Play Store and its apps, dubbed the Google Play Security Reward Program. The new program is being administered with help from HackerOne, a prominent bug bounty proctor and one of the biggest centralized resources in the white hat community. The new program is already live and in early testing. Developers interested in making their apps' code available for white hat hackers to inspect and submit bugs on can notify Google of their interest through their Play Console.
The way the new program will work is a bit different from the way that Google pays hackers to help keep its other products safe. Rather than submitting bugs and vulnerabilities directly to Google, hackers will submit them to the developer of the app itself. The kicker is that the developer has to not only verify the vulnerability or security risk, but actually do something about it. Once the bug is confirmed to be fixed, the hacker can submit proof of the fix to Google to obtain their payment. This means that a hardworking hacker could end up shortchanged by a developer who either can't fix a bug without breaking the app or simply doesn't fix it, though this is an unlikely scenario at this point because the program is strictly opt-in for developers. Google's press release did not specify whether it will stay that way.
Google has been paying out fairly large amounts to security researchers for bugs found in its mainline products for some time. The Android OS and Chrome are two of the biggest bug bounty targets, but Google services like Drive and Search have been included in the company's bug bounty program in the past. This approach is becoming more and more popular in the tech field, though some companies still either ignore such reports, fix flaws without notifying or rewarding researchers, or even threaten legal action either as punishment for hacking their products or to keep the security researchers from publishing their findings.