The expansion in Google's vulnerability reward program majorly includes two main announcements.
First, a new program, dubbed 'Developer Data Protection Reward Program' (DDPRP), wherein Google will reward security researchers and hackers who find "verifiably and unambiguous evidence" of data abuse issues in Android apps, OAuth projects, and Chrome extensions.
Just a few days later and Facebook has announced that is has filed its first lawsuit against two Asian developers for "click injection fraud—where developers made apps available on the Google Play store to infect their users’ phones with malware [which] created fake user clicks on Facebook ads that appeared on the users’ phones, giving the impression that the users had clicked on the ads.".
Second, expanding the scope of its Google Play Security Rewards Program (GPSRP) to include all Android apps from the Google Play Store with over 100 million or more installs, helping affected app developers fix vulnerabilities through responsibly disclosures.'
Get Bounty to Find Data-Abusing Android & Chrome Apps
The data abuse bug bounty program aims to avoid scandals like Cambridge Analytica that hit Facebook with $5 billion in fines for failing to identify situations where user data is being used or sold unexpectedly or repurposed illegitimately without user consent.
"If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store," Google says in its blog post published today.
"In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed."
Google has not yet announced any reward table for the DDPRP program but ensured that a single report could net up to $50,000 in bounty depending on the impact.
Bug Bounty On All Android Apps With 100 Million+ Downloads
On the other hand, the GPSRP Program, which was initially launched in 2017, was until today limited to only reporting vulnerabilities in popular Android apps in Google Play Store.
With the latest announcement, Google will now work with developers of hundreds of thousands of Android apps, each with at least 100 million downloads, helping them to receive vulnerability reports and instructions on how to patch them over their Play Consoles.
"These apps are now eligible for rewards, even if the app developers don't have their own vulnerability disclosure or bug bounty program," Google says.
"If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google."
Part of Google's App Security Improvement (ASI) program, this existing initiative has already helped over 300,000 developers fix more than 1,000,000 apps on the Google Play Store.
Hopefully, both measures will now allow Google to prevent malicious Android apps and Chrome extensions from abusing its users' data, as well as to beef up the security of apps distributed through Play Store.