No more rewards for finding Android app vulnerabilities
According to a recent report, Google has decided to wind down the GPSRP. The company notified participating developers via email that the program will wrap up on August 31.Google explained that the program is ending because there has been a drop in the number of actionable vulnerabilities reported. The company attributes this success to improvements in Android OS security and ongoing efforts to strengthen features.
Back in October 2017, Google kicked off the Google Play Security Reward Program to motivate security researchers to track down and responsibly report flaws in popular Android apps from the Google Play Store.
When the GPSRP first started, it was only available to a handful of developers who could report vulnerabilities affecting a limited set of apps. As time went on, the program broadened its reach to include all apps on Google Play with at least 100 million installs.
With the GPSRP developers could earn money by finding security flaws in Android apps. | Image credit – Google
The Google Play Security Reward Program had a clear mission: to make the Play Store a safer spot for Android apps. Google took the vulnerability data from the program and used it to build automated scans that checked all apps on Google Play for similar issues. These scans have helped over 300,000 developers fix more than 1,000,000 apps. So, overall, thanks to the GPSRP, fewer risky apps ended up in the hands of Android users.
Google closing this program has its pros and cons. I mean, on the bright side, it suggests that major apps have made strides in securing their platforms. Yet, it also might diminish the drive for security experts to responsibly report flaws if they find such. This could be an issue if those flaws are found in apps by developers who don’t have their own systems for handling bug reports.