Google has made the decision to wind down the Google Play Security Reward Program (GPSRP), a bug bounty initiative that has been in place since late 2017. This program was designed to incentivize security researchers to identify and responsibly disclose vulnerabilities in popular Android applications. The winding down of the program is set to take effect on August 31st, following a noted decrease in actionable vulnerabilities reported by the security research community.
Background of the Program
Initially launched with a focus on a limited number of developers, the GPSRP allowed researchers to submit vulnerabilities affecting select applications. Eligible vulnerabilities included those that could lead to remote code execution or the theft of sensitive data, with initial payouts reaching a maximum of ,000 for the former and ,000 for the latter. Over time, the program expanded its reach to encompass a broader array of developers, including major players such as Airbnb, Amazon, Facebook, and TikTok, among others.
In August 2019, Google broadened the program’s scope to include all apps on the Google Play Store with at least 100 million installations, even if those apps did not have their own vulnerability disclosure or bug bounty programs. At the same time, the maximum rewards were significantly increased, with payouts of up to ,000 for remote code execution vulnerabilities and ,000 for issues related to insecure private data.
Impact and Achievements
The primary aim of the GPSRP was to enhance the security of the Play Store, and it has indeed contributed to this goal. Google reported that the data collected from the program facilitated the development of automated checks that scanned all apps available on the platform for similar vulnerabilities. By 2019, these automated processes had assisted over 300,000 developers in rectifying more than one million apps, thereby reducing the number of vulnerable applications available to users.
However, Google has now determined that the program is no longer necessary, citing an overall improvement in the security landscape of the Android operating system. In an email to participating developers, the company expressed gratitude for the contributions made by researchers, noting that the decrease in actionable vulnerabilities is a testament to the enhanced security measures implemented over the years.
“Due to this decrease in actionable vulnerabilities reported, we are winding down the GPSRP program. The GPSRP program will end on August 31st. Any reports submitted before then will be triaged by September 15th. Final reward decisions will be made before September 30th when the program is officially discontinued.”
As the program concludes, it raises questions about the future of vulnerability reporting. While the reduction in vulnerabilities indicates progress, it also suggests that some security researchers may lack the incentive to disclose future vulnerabilities responsibly, particularly if they involve apps from developers without their own bug bounty initiatives.
