Google is ending a bug bounty program that offers hackers a financial reward for discovering and submitting evidence of vulnerabilities in highly popular applications. The move is due to the declining number of vulnerabilities reported through the program, a Google spokesperson told CyberScoop on Tuesday.
Launched in 2017, the Google Play Security Reward Program was designed to encourage the identification of vulnerabilities in apps available for download on the Google Play Store. Google Play Store is the most used app marketplace in the world, with billions of apps and games estimated to be available and more than 113 billion apps and games to be downloaded by 2023.
Seven years later, the program has “achieved its goal” of encouraging app developers to develop their own security programs, and therefore the company can safely end the vulnerability reporting program, a Google spokesperson said.
The program focuses on widely used applications developed by Google, such as the Gmail mobile application and the Fitbit app, as well as a variety of other widely used apps.
The company informed researchers of its decision via email in recent days, writing that “due to the overall improved security posture of the Android operating system and feature hardening efforts, we have seen fewer vulnerabilities reported by the research community.”
The program ends on August 31. All reports submitted by then will be reviewed by September 15, the company said. The final compensation will be decided before September 30, “when the program is officially discontinued.”
“RIP GPSRP,” Sean Pesce, an information security researcher, posted on X on August 16, sharing the Android Security Team email. “Android hacking just got a lot less lucrative.”
Mathias Payer, a computer security researcher at Switzerland’s École Polytechnique Fédérale de Lausanne, told CyberScoop that it was “a difficult situation” because Google makes “significant money” from its App Store and the bug bounty program allows the company to “protect its customers overall.”
“On the other hand, these large companies that run their app on the Google platform could run bug bounty platforms themselves,” Payer added in an email.
Payer said that some companies that sell apps through the Google Play Store may have the resources to run their own bug bounty programs, but the decision to shut down Google’s bounty program removes an important function from the company’s security ecosystem.
“In an ideal world, both sides would openly collaborate with security researchers to protect their systems both through a bug bounty platform and by investing in active security,” he said.
“We are very grateful to the security research community that helps keep Android users safe,” the Google spokesperson told CyberScoop, adding that the GPSRP “was the first program of its kind to pay a bonus reward for vulnerabilities in addition to existing developer reward programs.”
However, given what the company says are advances in security features and operating system hardening, fewer “actionable vulnerabilities have been reported” to the program.
When asked why the company did not simply continue the program, even with reduced staff or resources, the spokesperson did not respond.
“We encourage researchers to work directly with application developers if they discover potential security vulnerabilities,” the spokesman said.
