Google sought to curb misuse of user information among apps in its Play Store, launching a new bounty programme which will reward developers who report apps that violate the company’s data policies.
Through its new Developer Data Protection Reward Program, created in collaboration with HackerOne, Google aims to identify and remove Play Store apps and extensions for its Chrome web browser which abuse customer data. Specifically, the company said it is looking for apps which use or sell data unexpectedly, or repurpose it in an “illegitimate way without user consent”.
While Google hasn’t yet listed a full reward schedule, it said a single report could yield a payout as large as $50,000.
The company also expanded the scope of a bug bounty programme targeting security flaws in Play Store apps, extending it to include all apps with 100 million installs or more. Previously, only a small selection of popular apps were covered.
Since its launch in 2017, bug hunters reaped more than $265,000 in rewards from the Google Play Security Reward Program. While that number is a fraction of the more than $15 million Google has paid out across all of its bounty programmes, it could quickly increase given the expanded eligibility range and higher reward amounts Google instated last month.
“With these changes, we anticipate even further engagement from the security research community to bolster the success of the program,” it said in a blog post.
Google noted it uses data gleaned from the programme to automatically scan other apps for similar flaws. Input from more than 300,000 developers has helped fix more than 1 million apps to date, it added.