Quote:Google has decided to expand the Google Play Security Reward Program, or the GPSRP, to include third-party Android apps published in the Google Play Store and having more than 100 million installs.
 
In other words, security researchers who find vulnerabilities in the most popular Android apps and report them through the program are eligible for bounties, even if the developer of these apps doesn’t have an active reward program.

However, in case the devs do have a bounty program, the researchers can get two different payments, one of which comes from Google.
 
Google will then forward the vulnerability reports to the developers in order to patch the flaws, and the search giant says it encourages and app creator to launch their own vulnerability disclosure or bug bounty program.

“Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it,” Google says.