Thursday, October 19, 2017

Google Play Security Reward

Google is unveiling a new competition that will utilize crowdsourcing to uncover bugs in the popular apps of the Play Store. The “GooglePlay Security Reward” program is inviting users to poke around some of the popular apps and look for vulnerabilities. There are currently only a few apps involved in the program and consists of apps created by Google as well as third parties. All the Google developed Android apps are on the list for the challenge as well as Alibaba, Dropbox, Duolingo, Headspace, LINE, Snapchat and Tinder.

If you are able to help a developer fix a bug, Google will reward you with $1,000 in addition to the bounty the third-party developer may pay.  Google does not have an interest in knowing of any of the bugs until after they are solved. The company will review any of the fixes and then hand out the reward. They are utilizing HackerOne to deal with most of the back end for this program from submitting reports to inviting hackers to the program.


How will Google truly benefit from this program if they only look at solutions rather than the problem and the solution? Do you think it will benefit Google to have this program even though they outsourced most of the work to HackerOne? 

8 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hi Emma,

    I think it would be beneficial for Google to participate in crowdsourcing in order to get feedback from consumers. They should find it very rewarding to be in collaboration with actual users of their products to determine where the issues are arising. This is also a way for the company to improve their customer loyalty as individuals know they actually care about the people using their products. Overall, any feedback they receive and people finding issues they didn't know about can help in a lot of ways. If Google has the time and money to invest in such a program they should continue this new initiative. Great, short read.

    ReplyDelete
  3. Hi Emma,

    Interesting topic. I think this will help Google in their interaction with customers. However, I don't think this would help Google to solve real big problem about their bugs. Google could gather the idea from others. However, if a bug is really big and even a senior programmer in google cannot fix it, I don't think we can help them lol.

    ReplyDelete
  4. Hi Emma,

    Upon reading this I thought to myself what would really be the incentive for people to find and fix bugs if a company as big as google was only paying $1000.00 but I did some further research, and in terms of man hours the cost to repair a certain bug ranges per company and per what type of software but could be anywhere from $1500.00-whatever. If it's a big enough issue (unlikely from releases of google) it could result in thousands and thousands of dollars. Obviously, Google is shelling out products with a lot of minor bugs as they have paid out more than 9 million dollars in Security Reward money as of January 2017(Kumparak). Seems like a great, efficient program that they will likely keep around, since they are benefitting(not using their own personnel, not paying top dollar).

    ReplyDelete
    Replies
    1. TJ, Do you have a link to the research you did about how much bugs cost to fix. What is Kumparak? Please provide a link, so we can learn more about this.

      Delete
  5. Hi Emma,

    I have always found these sort of competitions to be ingenious. There are plenty of talented developers and security professionals that may be able to uncover bugs that Google and these third-party developers may not detect themselves. This is a great crowdsourcing method to incentivize these large communities to help them. This is likely cheaper and more effective than trying to find and fix all of these bugs themselves.

    ReplyDelete
  6. Hi Emma!

    Very interesting post!

    I think this a very unique way for Google to approach their vulnerabilities. Where I could see how this could benefit them in that their users may find things they may be not seeing, I could also see how this could come off as being lazy and ultimately vulnerable. If the top security professionals are unable to find these vulnerabilities, what does that say about Google's hiring capabilities? In the end I feel like their outsourcer Hackone, could see this as a threat or even as a way Google is telling them they are not doing a good job. Google has to be very careful about the way they go about this so that they do not scare off Hackone.

    -Lindsay Logsdon

    ReplyDelete
  7. Nice article.
    Only a few days left! Join the CryptantCrabs giveaway and try your luck!😎

    Dapp.com is a largest dedicated platform for sharing exciting dapps and valuable knowledge about decentralized technology. We help everyone understand, create, and enjoy this exciting new technology with enthusiasm.

    Check this out to join. ⬇️⬇️
    https://dapplin.blogspot.com/2018/11/dapps-are-hosting-giveaway-with.html?m=1

    🔘Dapp.com
    https://t.me/dapp_com

    ReplyDelete