Google ends bug bounty program for Android apps

Google has announced that it is ending its Android app vulnerability reward program known as the Google Play Security Reward Program (GPSRP). The program, launched in October 2017, allowed third-party developers to receive cash rewards for identifying bugs in popular applications posted on the Google Play store.

Image Source: Photo Mix/Pixabay

The GPSRP program was launched with the aim of making the Google Play Store a safer place for Android users. GPSRP was designed for a limited number of cybersecurity specialists and provided rewards for vulnerabilities leading to remote code execution or theft of confidential data, explains Android Authority. The maximum payouts were $5,000 (remote code execution) and $1,000 (data theft), respectively. Over time, the program began to expand and included applications from such large companies as Airbnb, Amazon, Facebook✴, Spotify, TikTok and many others.

In August 2019, Google included all apps that received more than 100 million installs. During the same period, the maximum reward amount was increased to $20,000 for vulnerabilities associated with remote code execution, and to $3,000 for vulnerabilities leading to data theft or access to protected application components. The information collected by the program was used to create automated scans that scanned all apps on Google Play for similar vulnerabilities. In 2019, Google reported that these checks helped more than 300,000 developers fix vulnerabilities in more than 1 million applications.

Despite the successes, Google decided to close GPSRP. In a letter sent to developers, the company explained that the number of identified vulnerabilities has decreased significantly in recent years, which is due to “an overall strengthening of Android security measures and an increase in the security of the Android operating system.” In this regard, the program stops working.

«Due to the general increase in the level of Android security and strengthening of its functionality, we are seeing a decrease in the number of identified vulnerabilities, says a letter from the Android Security team. “Therefore, we have decided to end the GPSRP program on August 31.” Google also emphasized that all reports submitted before this date will be processed, and final decisions on rewards will be made by September 30.

In closing, Google expressed its gratitude to all the professionals who participated in the program and looked forward to their participation in other company initiatives such as Android and the Google Devices Security Reward Program.