Google has announced that it will end its Google Play Security Reward Program, a bug bounty initiative that for nearly seven years enabled researchers and developers to identify and fix vulnerabilities in popular Android apps.
Launched in October 2017, the program attracted security researchers to discover and disclose flaws in apps distributed through the Google Play Store.
Despite the success of the program, Google has decided to discontinue it because the number of reported vulnerabilities requiring action has decreased.
Google Play Security Rewards Program
Initially, the program focused on a select group of developers and apps, offering rewards of up to $5,000 for the most critical vulnerabilities such as remote code execution. In 2019, the scope was eventually expanded to include all apps distributed on the platform with over 100 million downloads, with payouts reaching up to $20,000.
Seen in an email from Android AuthorityThe Android security team wrote: “Due to the overall improved security posture of the Android operating system and feature hardening efforts, we have seen fewer vulnerabilities reported by the research community that require security intervention.”
The email also confirms that the program will end on August 31, 2024, and reports submitted by then will be reviewed by September 15. Rewards will be decided by September 30, when the program officially closes.
In addition, in the last fiscal year, Google blocked 2.28 million privacy-violating apps and suspended 333,000 accounts of malicious developers, among other improvements to the Play Store.
However, with the discontinuation of the Google Play Security Reward Program, researchers may be less motivated to report issues, potentially leaving some apps more at risk and raising concerns about future vulnerabilities and the security of the platform.