Back in 2017, Google launched an initiative called the “Google Play Security Reward Program” that allowed developers and security researchers to find vulnerabilities in popular Android apps and earn money for their work. While the program incentivized adept researchers to scrutinize Play Store apps to find any possible vulnerability, Google has announced that it will end at the end of this month.
According to an email Google sent to developers, the Google Play Security Reward Program (GPSRP) will end on August 31, nearly seven years after its launch. Reports sent before this time frame will be reviewed by September 15, and final decisions for paying the remaining rewards will be made by the end of September.
Google cites “overall increase in the Android OS security posture” and “feature hardening efforts” as the reason behind winding down its bug bounty program.
The Google Play Security Reward Program was initially limited to a small group of Android developers. It paid $5,000 for finding remote code execution vulnerabilities and $1,000 for theft of private data. In 2019, rewards for finding these vulnerabilities increased to $20,000 and $3,000, respectively. The program also covered Google Play apps with at least 100 million installations.
While it’s good to see that Android’s security has become so robust that it doesn’t require outside help to find security holes, winding down the GPSRP could negatively impact Play Store security as researchers no longer have the incentive to sharpen their eyes.
Here is the email Google sent to developers:
“Dear Researchers,
I hope this email finds you well. I am writing to express my sincere gratitude to all of you who have submitted bugs to the Google Play Security Reward Program over the past few years. Your contributions have been invaluable in helping us to improve the security of Android and Google Play.
As a result of the overall increase in the Android OS security posture and feature hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the research community. Due to this decrease in actionable vulnerabilities reported, we are winding down the GPSRP program. The GPSRP program will end on August 31st. Any reports submitted before then will be triaged by September 15th. Final reward decisions will be made before September 30th when the program is officially discontinued. Final payments may take a few weeks to process.
I want to assure you that all of your reports will be reviewed and addressed before the program ends. We greatly value your input and want to make sure that any issues you have identified are resolved.
Thank you again for your support of the GPSRP program. We hope that you will continue working with us, on programs like the Android and Google Devices Security Reward Program.
Best regards,
Tony
On behalf of the Android Security Team”
Source: Android Authority
1 Comment - Add comment