including at Avira). This Google program has previously paid out $266,000 to hackers for their bug discoveries with an average payment of $1,000. The move comes on the heels of the discovery that CamScanner, a popular app on Google Play, had been distributing malware to unsuspecting users. While the app itself — with over 100 million downloads and 1.8 million positive reviews — was not malicious, a component from a third-party was being used for ad click fraud and other malicious activities.
Potentially more interesting is Google’s launch of the Developer Data Protection Reward Program. It is designed to “identify and mitigate data abuse issues in popular Android applications, OAuth projects, and Chrome extensions.” This quest for “data abuse issues” means getting people to directly report instances where data was sold, disclosed, or shared in a way that violates the Google conditions or is done without the user’s consent. Lucky bug hunters here can get up to $50,000 and the offending app might be removed from the Play store. Not all apps and extensions are covered. Apps in the Google Play store need to have over 100 million installs while Google APIs and extensions each need more than 50,000 users.
Launch of the Developer Data Protection Reward Program comes as technology companies are increasingly scrutinized for their treatment of private user data. Paying out rewards of $1,000 – the top bounty range – for identifying bad data use would be chump change in comparison to the political benefits of demonstrating a concern for proper data use and handling. According to the program webpage, total payout during the first month of the program was $5,500.