Google ends payments to researchers for finding vulnerabilities in popular Android apps

After nearly seven years, Google is winding down the Google Play Security Reward Program (GPSRP), Android Authority reported on Monday. Introduced in October 2017, this initiative aimed to incentivize security researchers to find and responsibly disclose vulnerabilities in popular Android apps available on the Google Play Store. The decision to conclude the program was communicated in an email to participating developers, explaining that the decline in actionable vulnerabilities reported by the research community was a key factor in this decision. Google credits the overall improvement in Android OS security posture and feature hardening efforts for the reduced number of vulnerabilities being reported.

When the GPSRP was first launched, it was limited to a small group of developers who could submit eligible vulnerabilities affecting applications from a select number of participating developers. Initially, the program offered rewards of up to $5,000 for remote code execution vulnerabilities and $1,000 for those leading to the theft of insecure private data. Over the years, the program expanded significantly, eventually covering apps with at least 100 million installations and increasing rewards to a maximum of $20,000 for certain types of vulnerabilities.

The GPSRP played a crucial role in improving the security of the Google Play Store. According to Google, the vulnerability data collected through the program was used to develop automated checks that scanned all apps in Google Play for similar issues. These checks helped over 300,000 developers fix more than 1,000,000 apps on the platform, reducing the number of vulnerable apps distributed to users. Despite these successes, Google has decided to end the program, with the final reports being triaged by September 15th and final reward decisions made by September 30th.

The shutdown of the GPSRP marks a significant shift in Google’s approach to app security. While the reduction in reported vulnerabilities is a positive sign, the end of the program may leave some security researchers without the incentive to disclose future vulnerabilities responsibly, especially for apps from developers who do not run their own bug bounty programs. Nevertheless, Google hopes that researchers will continue to collaborate with them through other initiatives like the Android and Google Devices Security Reward Program.

In the years since its inception, the GPSRP has paid out substantial rewards to researchers. By September 2018, nearly a year after the program’s launch, Google announced that over 30 vulnerabilities had been reported, resulting in bounties exceeding $100,000. A year later, that figure had risen to over $265,000. While the total amount paid out since then remains undisclosed, it is likely much higher, given the number of high-profile apps scrutinized by researchers over the years. The program officially ends on August 31st, with final payments to researchers being processed in the weeks that follow.