Google’s seven-year-long bug bounty program for popular Android apps on the Google Play Store is set to conclude on August 31, 2024. The program, which rewarded security researchers for finding and responsibly disclosing vulnerabilities, has been a cornerstone in bolstering the security landscape of the Android ecosystem.
Bug bounty hunters who are interested in cashing in by identifying flaws in the millions of downloadable apps offered in the Google Play Store now have less than two weeks to tender their submissions.
History of Google Play Store’s Bug Bounty Program
Launched in 2017, the Google Play Security Reward Program (GPSRP) incentivized researchers to meticulously scrutinize popular Android apps for potential security loopholes. By offering substantial rewards for critical vulnerabilities, Google encouraged a dedicated community of white-hat hackers to actively contribute to enhancing app security.
Initially, the program focused on a select group of developers and apps, offering rewards of up to $5,000 for the most critical vulnerabilities like remote code execution. Eventually, in 2019, the scope widened to include all apps distributed on the platform with over 100 million downloads, with payouts reaching $20,000.
However, in a recent announcement to researchers through an email, Google revealed its decision to wind down the program. The company attributed this move to a significant decline in actionable vulnerabilities being reported. This reduction is largely credited to the overall improvement in Android OS security and the implementation of robust security measures within the platform itself.
In the last financial year, Google said that it had blocked 2.28 million privacy-violating apps and banned 333,000 malicious developer accounts, alongside other Play Store improvements.
Google has emphasized that the decision to end the program does not signify a relaxation of its commitment to Android security. The company will continue to invest in various security initiatives, including the Android Vulnerability Rewards Program (AVRP) which focuses on the underlying Android OS.
The winding down of the GPSRP marks a significant shift in Google’s approach to Android app security. While the program has undoubtedly contributed to improving app security, its termination raises questions about the future of vulnerability discovery and the overall security posture of the Android ecosystem.
In the meantime, app developers and users alike should remain vigilant about app security best practices. Keeping apps updated, exercising caution when granting permissions, and being mindful of suspicious activities are crucial steps in safeguarding personal information and device security.
Full Text of Email by Google to Developers
Dear Researchers,
I hope this email finds you well. I am writing to express my sincere gratitude to all of you who have submitted bugs to the Google Play Security Reward Program over the past few years. Your contributions have been invaluable in helping us to improve the security of Android and Google Play.
As a result of the overall increase in the Android OS security posture and feature hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the research community. Due to this decrease in actionable vulnerabilities reported, we are winding down the GPSRP program. The GPSRP program will end on August 31st. Any reports submitted before then will be triaged by September 15th. Final reward decisions will be made before September 30th when the program is officially discontinued. Final payments may take a few weeks to process.
I want to assure you that all of your reports will be reviewed and addressed before the program ends. We greatly value your input and want to make sure that any issues you have identified are resolved.
Thank you again for your support of the GPSRP program. We hope that you will continue working with us, on programs like the Android and Google Devices Security Reward Program.
Best regards,
Tony
On behalf of the Android Security Team