Google will pay for hacking 13 applications in the Play Store

Google launched on the HackerOne platform a new payment program for the found vulnerabilities of Google Play Security Reward . The company has long paid large sums for vulnerabilities found in its products. But for the first time she decided to pay for the bugs found in other applications. However, the amount is not too big: only $ 1000, but then it is much easier to find vulnerabilities than in the programs of Google itself.



Paid bugs in 13 popular Android applications, including five applications from the Russian company Mail.Ru:

• Alibaba (com.alibaba.aliexpresshd)
• Dropbox (com.dropbox.android, com.dropbox.paper)
• Duolingo (com.duolingo)
• Headspace (com.getsomeheadspace.android)
• Line (jp.naver.line.android)
• Mail.Ru (ru.mail.cloud, ru.mail.auth.totp, ru.mail.mailapp, com.my.mail, ru.mail.calendar)
• Snapchat (com.snapchat.android)
• Tinder (com.tinder)

In due course the list can replenish, reports Google, so check it periodically.



The system works as follows. After a vulnerability is discovered, a hacker must report it directly to the developer according to the rules established by the developer. When he closes the bug, you can apply for a reward on the Google Play Security Reward program within 90 days.



A thousand dollars from Google will be an additional bonus to the reward that a hacker will receive from the developer if he has a paid reward system. For example, Mail.Ru pays up to $ 7,000 for high-quality holes . Separate programs are provided for VKontakte and Odnoklassniki applications.



To participate in the program, Google invites developers who have expressed an intention to close the bugs that will receive from the participants of Google Play Security Reward.



So far, only RCE (remote code execution) vulnerabilities are paid for, when an attacker can change the UI to complete a transaction or gain complete control over the application to download the code from a third-party server, or open a screen in the application that allows phishing attacks. Vulnerabilities are not paid for the operation of which any other specific program must be installed on the device.



In addition to the 13 programs listed, of course, Google pays for vulnerabilities in its own applications. And there the amount of remuneration reaches $ 31,337 for the remote execution of the code .