The Google Play Security Reward Program is coming to an end after seven years of sustaining itself and protecting the users of the Android Play Store. Google’s bug bounty program is being discontinued, which means that the company will no longer reward people for finding bugs on apps that arrive on the Play Store. The winding down of the Google Play Security Rewards program (GPSRP) has been linked to the “decrease in actionable vulnerabilities reported,” and as a result, the program will draw to a close on August 31.
Google Play Security Reward Ends— More than 1,000,000 Apps Have Been Helped
The Google Play Security Reward Program began as a way for Google to enhance the security of the apps that it provided to its users. Regardless of how thorough developers are, bugs can be encountered unexpectedly, and while some innocent ones merely result in unusual glitches, more dangerous ones can leave users vulnerable to data loss and permanent harm to their devices. App developers traditionally review their own apps for bugs or have bug bounty programs where they reward developers for reporting any issues with their apps.
Google took this one step further to additionally reward developers for the apps on their store, which they stated was the first program to pay a bonus reward in addition to the developer vulnerability reward programs that the apps themselves provide.
The Google Play Security Reward Program (GPSRP) is a vulnerability reward program offered by Google Play in collaboration with the developers of certain popular Android apps. It recognizes the contributions of security researchers who invest their time and effort to help make apps on Google Play more secure.
The goal of the program is to identify and mitigate vulnerabilities in apps on Google Play and keep Android users, developers, and the Google Play ecosystem safe.
—Google Bug Hunters Guidelines
Now that the “GPSRP has achieved its goal after 7 years,” the company no longer feels it is necessary to keep the program alive.
History of the Google Play Security Reward Program
The GPSR program was introduced in October 2017 to incentivize security experts who could look for vulnerabilities in Android apps distributed through the Google Play Store. Initially, the program was restricted to a limited list of developers and they could only receive a reward for detecting issues within a limited list of applications. According to Android Authority, over time, the apps covered by the program expanded considerably to include the likes of Grammarly, PayPal, Amazon, Snapchat, Tinder, etc.
Later in 2019, the Google Play Security Reward Program was extended to all the apps in the store that had at least 100 million installations and the reward for detecting an issue was also increased to $20,000 USD. Google had an elaborate set of program rules that detailed the kind of bugs that developers were expected to find.
The guidelines also explained what would happen if their report was a duplicate or if SDK and library vulnerability issues were detected. For known issues that were detected, Google had capped the reward at $500 USD to acknowledge the reporter’s effort, even if they didn’t qualify for a full reward.
Image: The Google Play Security Reward Program’s Reward Criteria
Google has stated that the data from the program was used to establish automated checks that could be used to review the apps on the platform without any need for external review. The company claimed that in 2019, the checks had helped more than 300,000 developers fix more than 1,000,000 apps.
Since then, there have likely been a much larger number of app developers that have benefitted from this model as well as from the automated checks that have identified common issues that other apps have encountered before.
What’s Next, Now That the Google Bug Bounty Has Been Discontinued?
The Google Play Security Reward Program will end on August 31, 2024. Reports submitted before that date will be triaged by September 15 and final reward decisions will be made before September 30, which is the official discontinuation date for the Google bug bounty. This means that developers still have a little over a week to submit their reports of discovered vulnerabilities to snag a reward before the program shuts down.
While Google is ending its bug bounty program, many app developers have their own version of such reward systems that can be reported to directly when a bug is detected. Even without a reward system, individuals who notice a vulnerability should still be able to report to the developer directly to keep users safe. The problem with Google Play Security Rewards being discontinued is that there is now going to be little reason for developers to spend their time combing through programs for vulnerabilities.
The news of the Google Play program winding down does not mean the organization will no longer prioritize app safety. The Google Play Security Reward Program was only a small part of the company’s security measures, one that merely added an additional layer of review of the apps that arrived in the store.
Google has always had a robust system of checking for fraudulent and dangerous apps and filtering them out of the system, and despite some malicious apps still making it through, the system is comprehensive. In 2023, the Play Store owner claimed it had prevented 2.28 million policy-violating apps from being published on Google Play and banned 333K bad accounts from Play for violations.
Developers will continue to be in charge of maintaining their own app security with support from Google’s other security features. The Android and Google Devices Security Reward Program and Google Mobile Vulnerability Reward Program are also available for bug hunters to benefit from. The company’s internal security team likely has more of a role in keeping the platform safe than the GPSRP program had, so the transition away from the program may not be as concerning as it sounds at first.