After 7 years, Google will stop paying researchers to find vulnerabilities in popular Android apps

All major tech giants run a bug bounty program, paying security researchers and hackers a considerable sum of money for discovering vulnerabilities in their products and services. Google has the Android and Google Devices Security Reward Program, under which it pays security researchers for finding vulnerabilities in its cameras, doorbells, speakers, thermostats, streaming devices, etc. It also has the Google Play Security Reward Program, collaborating with top developers to pay researchers for finding vulnerabilities in Android apps. Going forward, though, the company will do away with this program.

As a part of the Google Play Security Reward Program, Google pays security researchers up to $20,000 for finding a vulnerability that allows for arbitrary remote code execution without user interaction. For theft of sensitive data, the payout stands at $5,000. The reward amount is less for other less severe vulnerabilities, varying from $500 to $10,000. The program launched in October 2017 and expanded to include all Android apps having over 100 million+ downloads in August 2019.

Google is now informing enrolled developers that it is permanently shutting down this rewards program. The last date for submitting bug bounty reports is August 31, 2024 (via Android Authority). After this date, the company won’t process any reports under its rewards program. It will take the final reward decision for submitted reports by September 30, 2024. Google also reassures researchers that it will review all submitted reports before the program ends.

Google is shutting down the program due to its improved security measures

In its email, Google states that it is closing down the program because of the “overall increase in the Android OS security posture and feature hardening efforts.” This has led to researchers submitting fewer vulnerabilities than before.

The company has also updated the Google Play Security Reward program page to reflect this change.

In its last annual report, Google claims to have stopped 2.28 million privacy-violating apps and banned 333,000 malicious developer accounts. Last year, it also announced major improvements to Google Play Protect, including real-time scanning for Android malware. More recently, it bolstered the Play Integrity API with in-app signals to prevent fraudulent activities.

These improvements are evidently working and have led to fewer vulnerabilities being discovered in Android apps and the ecosystem.