In a significant shift in its approach to app security, Google has announced the termination of its Google Play Security Reward Program (GPSRP), which has been operational since October 2017. This bug bounty initiative was designed to encourage external security researchers to identify and report vulnerabilities within Android applications available on the Google Play Store.
The GPSRP initially targeted a select group of developers, allowing them to submit reports on vulnerabilities affecting a limited number of applications. Over time, the program expanded its reach, encompassing a broader array of apps from notable companies such as Amazon, Snapchat, Tesla, and TikTok. Despite this growth, Google has now decided to discontinue the program, meaning that security researchers will no longer receive financial rewards for their findings.
Google is ending the Google Play Security Reward Program on August 31st due to fewer vulnerabilities being reported. pic.twitter.com/4ohrvT04m2 — choqao (@choqao) August 19, 2024
Will Android apps now be exposed to undiscovered security risks?
While the cessation of monetary rewards may raise concerns about the security of Android apps, Google asserts that this decision is rooted in confidence regarding its existing security protocols. The company emphasizes that the GPSRP was instrumental in enhancing the overall security of the Play Store.
Throughout the program's tenure, Google accumulated a wealth of data on vulnerabilities, which has been leveraged to develop automated checks that scrutinize all apps listed on the Play Store for potential security issues. As a result, the frequency of vulnerabilities slipping through the cracks has significantly diminished, leading Google to conclude that the Play Store is now largely fortified against such risks.
However, the winding down of the GPSRP does pose a challenge for security researchers, who may find themselves without the financial incentives that previously motivated them to report vulnerabilities. Nevertheless, these researchers can still participate in the Vulnerability Rewards Program, which has recently expanded to include Generative Artificial Intelligence platforms, providing an alternative avenue for recognition and reward in the evolving landscape of cybersecurity.