In an email to participating developers, Google announced that it will wind down its Google Play Security Reward Program (GPSRP) on August 31st.
The program, a bug bounty scheme designed to reward security researchers for identifying and responsibly reporting vulnerabilities in popular Android apps, has been running since 2017.
@MishaalRahman not sure if this is within your scope of interest pic.twitter.com/uJoiuoXKkB
— Sean Pesce (@SeanPesce) August 16, 2024
Initially, it was open to a select group of developers who could only submit eligible vulnerabilities affecting apps. However, the program expanded over the years from a small group to a community with Facebook, Amazon, Snapchat, TikTok, and Spotify employees on board.
At launch, developers were eligible for rewards of up to $5,000 for identifying and disclosing vulnerabilities related to remote code execution. Any devs disclosing vulnerabilities leading to the theft of insecure private data could receive up to $1,000.
Google later increased its rewards to $3,000 for theft of insecure private data vulnerabilities and up to $20k for any related to remote code execution. It also expanded the program to include all apps available in the Google Play Store with at least 100 million installations.
By August 2019, Google had reportedly paid out over $265,000 to participating researchers.
The program’s data was used to make the Google Play Store more secure. Google created automated checks to scan apps for sale in the store and identify similar vulnerabilities. In 2019 alone, these checks helped fix over 1 million apps in the store.
Good News and Bad News for the Google Play Store
According to Google, the program is shuttering due to a decrease in the number of actionable vulnerabilities reported, which is due to the “overall increase in the Android OS security posture and feature hardening efforts.”
The end of the GPSRP is both good news and bad news. It means that the most popular apps have taken a tougher stance on security, which can only be good.
However, since there is now no financial incentive for security researchers to responsibly disclose vulnerabilities they become aware of in the future, this could inevitably mean that some vulnerabilities sneak through the net.