Google is informing developers enrolled in its Google Play Security Reward Program (GPSRP) that it won’t be paying rewards or bug bounties for any vulnerabilities found in Android apps starting August 31, 2024. Developers can submit reports until the deadline, which will be considered for the rewards programs. The final decision will be announced by September 30, 2024, after which the program will be officially discontinued.
The Android maker has also updated its Google Play Security Reward Program rules page to reflect the change. An email sent to enrolled developers claims the shuttering is apparently “a result of the overall increase in the Android OS security posture and feature hardening efforts,” which has led to a decrease in actionable vulnerabilities reported.
The program launched in 2017 and initially covered a few applications from participating developers. Over time, the program’s scope was expanded to include any application with over 100 million installs. By offering a separate bug bounty program for the Play Store, and by extension, even for apps that didn’t have their own bug bounty programs, Google seems to have eventually succeeded in making the Play Store a secure destination for Android apps.
Vulnerability data collected from these bug bounty reports also helps the search giant make automated checks, helping more than 300,000 developers fix more than 1,000,000 apps on Google Play, according to the company. By August 2019, just two years after launching the program, Google had already paid over $265,000 in bounties.
While shutting down the program does indicate Google’s confidence in the protective measures put into place on the Play Store and indicates that most big apps on the platform are secure from their respective developers’ ends, it also takes away the incentive for developers to report a vulnerability responsibility, especially if the vulnerable app doesn’t have a bug bounty program of its own.
In the News: Binance reopens in India after seven-month shutdown, registers as reporting entity