Summarize

Simplifying... Inshort

Google has decided to end its Google Play Security Reward Program (GPSRP), which offered rewards for identifying security flaws in Android apps.
The decision comes due to a decrease in reported vulnerabilities, thanks to improved Android security and feature hardening.
The program, which once included major apps like Airbnb, Alibaba, and Amazon, helped fix over a million apps, enhancing Play Store's security.

Was a long read? Making it simpler...

Next Article

Google developers will no longer receive rewards for discovering vulnerabilities

Google ends rewards for finding security flaws in Android apps

By Akash Pandey

Aug 22, 2024

12:52 pm

What's the story

Google has announced the termination of its Google Play Security Reward Program (GPSRP), a bug bounty initiative that paid security researchers for identifying vulnerabilities in popular Android apps. The GPSRP, launched in October 2017, was initially restricted to a select group of developers who could report eligible vulnerabilities from a limited number of participating developers. The program will officially end on August 31, according to an email sent by Google to participating developers.

Program evolution

GPSRP's expansion and impact on app security

The GPSRP expanded over time to include developers of major Android apps like Airbnb, Alibaba, Amazon, Dropbox, Facebook, and Grammarly among others. In August 2019, Google extended the program to all apps on Google Play with at least 100 million installations. The company increased the rewards in July 2019 to a maximum of $20,000 for remote code execution bugs and $3,000 for bugs leading to the theft of insecure private data or access to protected app components.

Security enhancement

Program's role in enhancing Play Store security

The main objective of the GPSRP was to enhance the security of the Play Store. Google used vulnerability data from this program to develop automated checks that scanned all apps on Google Play for similar vulnerabilities. In 2019, these automated checks assisted over 300,000 developers in fixing more than one million apps on Google Play, thereby reducing the number of vulnerable apps available to Android users.

Program discontinuation

Reason behind GPSRP's termination

Google attributes the decision to end the GPSRP to a decrease in the number of actionable vulnerabilities reported. The company credits this success to an "overall increase in the Android OS security posture and feature hardening efforts." Google hasn't disclosed how much it has paid out to security researchers since its last disclosure, but it is believed the figure could be significantly higher than $265,000 given the duration since that disclosure and number of popular apps targeted by security researchers.