Payouts extended to anything with more than 100m installs
Google is expanding its Android bug-bounty program to cover not just holes in the web giant's apps but also vulnerabilities in third-party software – as long as they have more than 100 million installs.
We're told that if an Android application's maker already runs their own bug bounty program, infosec peeps can still claim those prizes from the developers – as well as rewards from the web-search king via its enlarged Google Play Security Reward Program. If an eligible popular app doesn't have its own bug bounty, Google will cough up the cash for any holes reported, and alert the developers to the flaws in their code.
"In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer," Googlers Adam Bacchus, Sebastian Porst, and Patrick Mutchler explained in google takes little responsibility android world cough bounties popular
