Google has announced the closure of its Android app vulnerability bounty program, known as the Google Play Security Reward Program (GPSRP). Launched in October 2017, the program allowed third-party developers to earn cash rewards for finding bugs in popular apps on the Google Play Store.
The GPSRP was initiated with the aim of enhancing security for Android users on the Google Play Store. Initially designed for a limited number of cybersecurity professionals, the program offered rewards for vulnerabilities that led to remote code execution or theft of sensitive data. The maximum payouts were $5,000 for remote code execution and $1,000 for data theft, respectively.
Program Evolution and Achievements
Over time, the GPSRP expanded to include apps from major companies such as Airbnb, Amazon, Facebook, Spotify, TikTok, and many others. In August 2019, Google broadened the program’s scope to encompass all apps with more than 100 million installs. Concurrently, the maximum reward amounts were increased to $20,000 for vulnerabilities related to remote code execution and $3,000 for vulnerabilities leading to data theft or access to protected app components.
The program’s collected information was utilized to create automated checks that scanned all apps on Google Play for similar vulnerabilities. In 2019, Google reported that these checks assisted more than 300,000 developers in fixing vulnerabilities in over 1 million apps, showcasing the program’s significant impact on app security.
Reasons for Closure and Future Outlook
Despite its success, Google has decided to discontinue the GPSRP. In a letter sent to developers, the company explained that the number of identified vulnerabilities has significantly decreased in recent years. This decline is attributed to “general strengthening of Android security measures and the improvement of the Android operating system security,” notes NIXsolutions.
The Android Security team stated in their letter, “As Android’s overall security posture and functionality have improved, we’ve seen a decline in the number of vulnerabilities being reported. We’ve therefore decided to end the GPSRP program on August 31.” Google assured that all reports submitted before the closure date will be processed, with final decisions on rewards to be made by September 30.
Google concluded by expressing gratitude to all researchers who participated in the program and encouraged their continued involvement in other company initiatives, such as Android and the Google Devices Security Reward Program.
We’ll keep you updated on any future developments or new security programs that Google may introduce to replace or complement the GPSRP. As the Android ecosystem continues to evolve, it’s clear that Google remains committed to maintaining and improving security measures for its users and developers alike.