Google is phasing out its bug bounty program, which offers financial rewards to hackers who find and submit evidence of vulnerabilities in popular applications. The move comes after a decline in the number of vulnerabilities submitted to the program, a Google spokesperson told CyberScoop on Tuesday.
Introduced in 2017, the Google Play Security Rewards program was designed to incentivize the identification of vulnerabilities in apps available for download on the Google Play Store, the world's most used app marketplace, which offers billions of apps and games, with more than 113 billion apps and games expected to be downloaded by 2023, according to some estimates.
After seven years, the program has “achieved its goal” of encouraging app developers to establish their own security programs, so the company is happy to phase out its vulnerability reporting program, a Google spokesperson said.
The program focuses on popular Android applications from third-party developers.
The company recently notified researchers of its decision in an email, writing that “strengthening the overall security posture and hardening efforts of the Android OS has resulted in fewer vulnerabilities being reported by the research community.”
The company said the program will end on Aug. 31, with reports submitted by then being screened by Sept. 15, with final award decisions made by Sept. 30 “when the program officially ends.”
“Rest in peace GPSRP,” information security researcher Sean Pesce wrote on X on August 16, when sharing an email from the Android security team. “Hacking Android is now a lot less profitable than it used to be.”
While Pesce told CyberScoop that Google claims to have made few “actionable” discoveries, “I'm just one person, but in a relatively short amount of time I found a significant number of high-impact bugs in apps with over 100 million downloads, some of which have been downloaded over a billion times,” he said.
According to Pesce, high-impact attacks include remote code execution, file theft and account takeover, and most of them are “one-click” attacks exploited when a victim clicks on a malicious link – a common attack vector in mobile apps.
“GPSRP was a great program to secure the Android ecosystem, but at the end of the day, Google was paying for vulnerabilities in non-Google products,” Pesce added. “I haven't really seen other companies do that.”
Matthias Payer, a computer security researcher at the École Polytechnique FĂ©dĂ©rale de Lausanne in Switzerland, told CyberScoop that this is a “tough situation” given that Google makes “significant revenue” from its app store and that its bug bounty program allows it to “protect its entire customer base.”
“Meanwhile, large companies that run their apps on Google platforms may be running bug bounty platforms themselves,” Payer added in an email.
Payer said that while some companies that sell apps on the Google Play store may have the resources to run their own bug bounty programs, Google's decision to shut down its bounty program would remove a key feature of the company's security ecosystem.
“In an ideal world, both sides would collaborate openly with security researchers to protect their systems not just through bug bounty platforms but through investments in active security,” he said.
“We're deeply grateful to the security research community for their work helping to keep Android users safe,” a Google spokesperson told CyberScoop, adding that GPSRP is “the first program to pay bonus bounty awards on top of applicable developer vulnerability bounty programs.”
But it said it has seen a decline in “actionable vulnerabilities” reported against the program, given what it describes as advances in security features and hardening of its operating systems.
The spokesman did not respond to questions about why the program would not continue despite the cuts in staffing and resources.
“We encourage researchers to work directly with application developers if they discover potential security vulnerabilities,” the spokesperson said.
Updated August 21, 2024: This story has been updated to include comment from Shawn Pesce.
Correction, August 22, 2024: This story has been corrected to clarify the scope of the GPSRP.