Security vulnerabilities lurk within many of the applications we rely on daily, presenting a significant challenge for companies striving to identify and rectify every issue. This is where bug bounty programs play a pivotal role, enlisting external experts to uncover and resolve these hidden flaws. One notable initiative, the Google Play Security Reward Program (GPSRP), has incentivized researchers to identify vulnerabilities in widely-used Android applications. However, this program is set to conclude at the end of this month.
No more rewards for finding Android app vulnerabilities
Recent reports indicate that Google has made the decision to phase out the GPSRP, with notifications sent to participating developers confirming that the program will officially end on August 31. The rationale behind this closure stems from a noticeable decline in the number of actionable vulnerabilities being reported. Google attributes this positive trend to enhancements in Android OS security and ongoing initiatives aimed at fortifying app features.
Launched in October 2017, the GPSRP was designed to encourage security researchers to identify and responsibly disclose flaws in popular Android applications available on the Google Play Store. Initially, the program was limited to a select group of developers and a restricted set of apps. Over time, however, it expanded its scope to encompass all applications on Google Play that boasted at least 100 million installations.
With the GPSRP, developers could earn money by finding security flaws in Android apps. | Image credit – Google
The GPSRP was founded with a clear objective: to enhance the safety of the Play Store for Android applications. Google utilized the vulnerability data gathered through the program to develop automated scans that scrutinized all apps on Google Play for similar issues. This proactive approach has empowered over 300,000 developers to rectify more than 1,000,000 applications, resulting in a significant reduction of risky apps reaching Android users.
The decision to close the GPSRP presents a mixed bag of implications. On one hand, it signifies that major applications have made considerable progress in securing their platforms. On the other hand, it raises concerns about the potential decrease in motivation for security experts to report vulnerabilities responsibly. This could pose a challenge, particularly for apps developed by companies lacking robust systems for managing bug reports.
