Source URL: https://www.androidauthority.com/google-play-security-reward-program-winding-down-3472376/
Source: Hacker News
Title: Google Play will no longer pay to discover vulnerabilities in Android apps
Feedly Summary: Comments
AI Summary and Description: Yes
**Summary:** Google is discontinuing the Google Play Security Reward Program (GPSRP), which was established to incentivize the reporting of vulnerabilities in Android apps. The decision arises from a noted decrease in actionable vulnerabilities, attributed to improved security measures in the Android ecosystem.
**Detailed Description:**
– **Program Overview:**
– Introduced in 2017, the GPSRP aimed to encourage security researchers to identify and responsibly disclose vulnerabilities in popular Android applications found on the Google Play Store.
– Initially limited to a select group of developers, the program expanded to cover major apps with significant user bases, ultimately extending to all apps with over 100 million installations.
– **Incentives and Scope:**
– The program offered monetary rewards, starting at a maximum of $5,000 for critical vulnerabilities, later increasing to $20,000 for remote code execution bugs.
– The aim was to improve the overall security posture of apps and the Google Play ecosystem by utilizing vulnerability data to create automated security checks.
– **Why the Program is Ending:**
– Google cited a substantial decrease in actionable vulnerabilities as the primary reason for discontinuation, indicating a positive trend in the Android OS security landscape.
– The final day for reports under this program is August 31st, with a review timeline for submissions extending into September.
– **Potential Implications:**
– While the decrease in vulnerabilities indicates improvements in app security, the shutdown may pose risks as some researchers might be disincentivized from reporting flaws in apps lacking their own bug bounty programs.
– It raises concerns regarding the future of responsible disclosure practices in the Android ecosystem as an incentive-driven model may be reduced.
– **Key Dates:**
– GPSRP Ends: August 31
– Report Triaging Deadline: September 15
– Final Reward Decisions: Before September 30
This development invites security professionals to reevaluate how they monitor vulnerabilities and incentivize responsible disclosure, highlighting the evolving landscape of app security in Android and the role of programs like GPSRP in encouraging proactive security measures.