The tech giant says it is receiving fewer vulnerabilities and that security improvements have resulted in a more secure Android ecosystem.
The post Google to wind down app store bug bounty appeared first on CyberScoop.
Google is winding down a bug bounty program that provides a financial reward to hackers who discover and submit evidence of vulnerabilities in highly popular applications, a move prompted by a diminishing number of vulnerabilities submitted to the program, a Google spokesperson told CyberScoop Tuesday.
Introduced in 2017, the Google Play Security Reward Program was designed to incentivize the identification of vulnerabilities in apps available for download in the Google Play Store, the most used app market in the world, with billions of apps and games available and more than 113 billion apps and games downloaded in 2023, according to some estimates.
Seven years later, the program “has achieved its goal” of encouraging app developers to establish their own security programs, and therefore the company feels comfortable winding down the vulnerability reporting program, a Google spokesperson said.
The program focuses on widely used applications developed by Google, such as the mobile application for Gmail and the Fitbit app, along with a host of other widely popular apps.
The company notified researchers of the decision in an email in recent days, writing that because of “the overall increase in Android OS security posture and feature hardening efforts, we’ve seen fewer vulnerabilities reported by the research community.”
The program will end Aug. 31, and any reports submitted before then will be triaged by Sept. 15, the company said, with final reward decisions made before Sept. 30, “when the program is officially discontinued.”
“RIP GPSRP,” Sean Pesce, an information security researcher, posted to X on Aug. 16 when he shared the Android Security Team email. “Android hacking just got a lot less lucrative.”
Mathias Payer, a computer security researcher at Switzerland’s École Polytechnique Fédérale de Lausanne, told CyberScoop that it’s “a tough situation” given that Google makes “substantial money” on its app store,and the bug bounty program allowed it to “protect their customers at large.”
“On the other hand, these large companies that run their app on the Google platform could be running bug bounty platforms themselves,” Payer added in an email.
Payer said that some companies selling apps via the Google Play store may have the resources to run their own bug bounty programs, the decision to shut down Google’s bounty program removes an important feature of its security ecosystem.
“In an ideal world, both sides would work openly with security researchers to protect their systems both through a bug bounty platform but also by investing into active security,” he said.
“We greatly appreciate the security research community that helps keep Android users safe,” the Google spokesperson told CyberScoop, adding that the GPSRP “was the first program of its type to pay a bonus reward in addition to any applicable developer vulnerability reward programs.”
But, given what the company described as advancements in its security features and operating system hardening, there have been fewer “actionable vulnerabilities reported” to the program.
The spokesperson did not respond to a question about why the company would not simply keep the program running, even with reduced staffing or resources.
“We encourage researchers to work directly with application developers should they discover potential security vulnerabilities,” the spokesperson said.
The post Google to wind down app store bug bounty appeared first on CyberScoop.
Source: CyberScoop
Source Link: https://cyberscoop.com/google-play-store-bug-bounty-shut-down-gpsrp/