Google has maintained such bug bounty programs for a number of their platforms such as Chrome and Chrome OS among others. This program’s scope for now is restricted to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher. How it Works Within the bug bounty program, a researcher needs to find a vulnerability among the apps covered. Once found, they will have to report it to the app developer via their current reporting process. The app developer will then work with the researcher to resolve the vulnerabilities found within 90 days. The researcher can then claim the bounty from Google which will evaluate if it meets the program’s criteria before handing over the $1,000 reward. For this program, Google is working alongside HackerOne – a vulnerability coordination and bug bounty platform . Developers can participate in the program only if they’re willing to respond to and help fix the vulnerabilities found in a timely manner. They will also need to follow HackerOne’s disclosure guidelines and provide reports with the required details. The apps currently in the scope of the program include Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat, and Tinder with more to be added as time goes on.
