Google to wind down app store bug bounty
Google is winding down a bug bounty program that provides a financial reward to hackers who discover and submit evidence of vulnerabilities in highly popular applications, a move prompted by a diminishing number of vulnerabilities submitted to the program, a Google spokesperson told CyberScoop Tuesday.
Introduced in 2017, the Google Play Security Reward Program was designed to incentivize the identification of vulnerabilities in apps available for download in the Google Play Store, the most used app market in the world, with billions of apps and games available and more than 113 billion apps and games downloaded in 2023, according to some estimates.
Seven years later, the program “has achieved its goal” of encouraging app developers to establish their own security programs, and therefore the company feels comfortable winding down the vulnerability reporting program, a Google spokesperson said.
The program focuses on popular Android applications from third-party developers.
The company notified researchers of the decision in an email in recent days, writing that because of “the overall increase in Android OS security posture and feature hardening efforts, we’ve seen fewer vulnerabilities reported by the research community.”
The program will end Aug. 31, and any reports submitted before then will be triaged by Sept. 15, the company said, with final reward decisions made before Sept. 30, “when the program is officially discontinued.”
“RIP GPSRP,” Sean Pesce, an information security researcher, posted to X on Aug. 16 when he shared the Android Security Team email. “Android hacking just got a lot less lucrative.”
Pesce told CyberScoop that while Google claims they had fewer “actionable” findings, “I’m only one person and I found a pretty large number of high-impact bugs in apps with 100 million+ downloads (and some with over a billion) with relatively little time investment.”
High-impact includes remote code execution, file stealing and account takeovers, Pesce said, and were mostly “one-click” attacks that occur exploited when a victim clicks a malicious link, a common attack vector in mobile apps.
“GPSRP was a great program for securing the Android ecosystem, but at the end of the day Google was paying for vulnerabilities in non-Google products,” Pesce added. “That’s not really something you see other companies doing.”
Mathias Payer, a computer security researcher at Switzerland’s École Polytechnique Fédérale de Lausanne, told CyberScoop that it’s “a tough situation” given that Google makes “substantial money” on its app store,and the bug bounty program allowed it to “protect their customers at large.”
“On the other hand, these large companies that run their app on the Google platform could be running bug bounty platforms themselves,” Payer added in an email.
Payer said that some companies selling apps via the Google Play store may have the resources to run their own bug bounty programs, the decision to shut down Google’s bounty program removes an important feature of its security ecosystem.
“In an ideal world, both sides would work openly with security researchers to protect their systems both through a bug bounty platform but also by investing into active security,” he said.
“We greatly appreciate the security research community that helps keep Android users safe,” the Google spokesperson told CyberScoop, adding that the GPSRP “was the first program of its type to pay a bonus reward in addition to any applicable developer vulnerability reward programs.”
But, given what the company described as advancements in its security features and operating system hardening, there have been fewer “actionable vulnerabilities reported” to the program.
The spokesperson did not respond to a question about why the company would not simply keep the program running, even with reduced staffing or resources.
“We encourage researchers to work directly with application developers should they discover potential security vulnerabilities,” the spokesperson said.
Updated, Aug. 21, 2024: This story has been updated to include comment from Sean Pesce.
Correction, Aug. 22, 2024: This story has been corrected to clarify the scope of the GPSRP.