Google has announced that it will discontinue its Google Play Security Reward Program at the end of August 2024. This decision, as revealed in an email to participating security researchers, marks the conclusion of a seven-year initiative aimed at enhancing the security of popular Android applications.
The tech giant cited a decrease in the number of reported vulnerabilities as the primary reason for ending the program, attributing this decline to improvements in Android’s overall security posture and feature hardening efforts.
The Google Play Security Reward Program was launched in 2017 as part of Google’s broader effort to encourage responsible vulnerability disclosure.
By offering financial incentives, the program aimed to engage the global security research community in identifying and reporting flaws in Android applications.
The program initially offered rewards of up to $5,000 for vulnerabilities related to remote code execution and $1,000 for vulnerabilities that could lead to the theft of insecure private data.
In July 2019, the rewards were significantly increased, with payouts of up to $20,000 for remote code execution vulnerabilities and $3,000 for data theft issues.
Over time, the program expanded to include not only Google-developed apps but also popular third-party apps with over 100 million downloads.
This extension brought developers from major companies such as Facebook, Amazon, Alibaba, and Tesla into the fold, allowing security researchers to earn rewards for vulnerabilities discovered in these widely used applications.
In an official statement, on Monday, Google explained that the program’s discontinuation is a reflection of the reduced number of actionable vulnerabilities being reported by researchers.
“Due to the overall increase in the Android OS security posture and feature hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the research community,” the company noted in its email to participants.
The final date for submitting reports under the program is August 31, 2024, with Google committing to reviewing all reports before determining final rewards by September 30, 2024.
While payments may take a few weeks to process, Google assured participants that all eligible reports will be addressed.
The decision to end the program highlights Google’s confidence in the security measures it has implemented over the years.
In its most recent annual report, Google claimed to have stopped 2.28 million privacy-violating apps and banned 333,000 malicious developer accounts. Additionally, significant updates have been made to Google Play Protect, which now includes real-time malware scanning for Android devices.
The discontinuation of the Google Play Security Reward Program is part of a broader trend among tech companies that have increasingly emphasized proactive security measures over reactive solutions.
Other major technology firms, such as Apple and Microsoft, also run similar bug bounty programs, which are designed to incentivize security researchers to identify and report vulnerabilities before they can be exploited by malicious actors. However, as these companies improve their security frameworks, the number of critical vulnerabilities has decreased, leading to a reevaluation of such reward programs.
The Google Play Security Reward Program was instrumental in encouraging collaboration between developers and the security research community. Since its inception, the program has rewarded researchers with substantial payouts, including over $265,000 in rewards distributed to developers by August 2019.
