Google is hoping to diminish the risks present in some apps on the Play Store through an expansion of its bug bounty programs. That includes both a set of big changes to its existing Google Play Security Rewards Program (GPSRP) and the introduction of a brand new program the company is calling the Developer Data Protection Reward Program (DDPRP).
The latter announcement is arguably the more impactful of the two since it covers a wider gamut of issues. The goal of the new program is to combat data abuse. More directly, the program will be used by security researchers to identify related bugs and mitigate problems.
The effort will extend well beyond the Google Play Store too. Google is looking to offset vulnerabilities and misappropriation that can sometimes be found in Android apps, OAuth projects, and Google Chrome extensions.
DDPRP doesn't simply pertain to those abuses that are obviously malicious, either. It pertains to any situation where user data is being used, repurposed, or sold in ways the user doesn't expect.
User consent is of primary concern here, whether that's deliberate or not. Apps or extensions that don't obtain clear user consent and violate policies will be removed. In some cases, developers discovered to be abusing access to data via API will have their access to those API removed.
Google hints that bug bounties from the expansion will be set relatively high. No maximum has been decided yet and there's still no reward table in place. But a single report could net a finder as much as $50,000, regardless, the company says.
Big changes are here for the Google Play Security Reward Program too
The introduction of the new bug bounty program is not the only change that's going on at Google though. Not content with just releasing a new security bug bounty program for its app store, Google is also implementing an expansion to the standing GPSRP.
In part, the adjustment is really more of a change in scope. Apps that have over 100 million installs on the Play Store now eligible as part of the rewards program. That should equate to more apps being examined more closely, to begin with.
Because not every developer has its own rewards program in place, the discovery of malicious activity or bugs in those apps or extensions also nets finders a reward directly from Google. Those rewards will be available regardless of whether or not a developer already has its own program in place. In those cases, Google's reward will stack on top of those programs' rewards.
Google will be offering assistance to developers of the apps too, helping more directly when it comes to fixing problems in the apps. The move should make it easier for developers to release patched apps more quickly if and where issues are discovered.
The new bug bounty expansion will protect both Google and users
At first glance, Google's plan looks like an attempt to solve problems in the app market by throwing more money at it. In reality, that's exactly what it is. But throwing money at the problem, or rather at researchers who can discover problems, is a proven approach.
The program works by first notifying affected developers directly through the Play Console. The notification arrives alongside tips to help app creators fix issues before they become a problem.
Since being implemented, Google says the program has helped more than 300,000 developers in that way. In total, that's prevented users from potential harm from more than a million applications. Just in 2018, that stopped as many as 75,000 apps from being downloaded with vulnerabilities in place. A combined $75,000 was paid out just between July and August of last year.
That investment isn't just to protect end-users though. Google has faced its own consequences as a result of privacy and data security concerns. In some cases, the search giant has paid significant fines and faced other repercussions. By implementing new strategies and extending those it already has in place, the company is effectively protecting itself by being proactive.