C. Scott Brown / Android Authority
TL;DR
- Google has introduced that they’re winding down the Google Play Safety Reward Program.
- This system was launched in late 2017 to incentivize safety researchers to search out and responsibly disclose vulnerabilities in fashionable Android apps.
- Google says they’re winding down this system as a result of a lower in actionable vulnerabilities reported by safety researchers.
Safety vulnerabilities are lurking in many of the apps you employ on a day-to-day foundation; there’s simply no means for many firms to preemptively repair each potential safety difficulty due to human error, deadlines, lack of assets, and a large number of different components. That’s why many organizations run bug bounty packages to get exterior assist with fixing these points. The Google Play Safety Reward Program (GPSRP) is an instance of a bug bounty program that paid safety researchers to search out vulnerabilities in fashionable Android apps, however it’s being shut down later this month.
Google introduced the Google Play Safety Reward Program again in October 2017 as a solution to incentivize safety searchers to search out and, most significantly, responsibly disclose vulnerabilities in fashionable Android apps distributed by the Google Play Retailer.
When the GPSRP first launched, it was restricted to a choose variety of builders who have been solely allowed to submit eligible vulnerabilities that affected purposes from a small variety of collaborating builders. Eligible vulnerabilities embody those who result in distant code execution or theft of insecure personal information, with payouts initially reaching a most of $5,000 for vulnerabilities of the previous kind and $1,000 for the latter kind.
Over time, the scope of the Google Play Safety Reward Program program expanded to cowl builders of among the largest Android apps akin to Airbnb, Alibaba, Amazon, Dropbox, Fb, Grammarly, Instacart, Line, Lyft, Opera, Paypal, Pinterest, Shopify, Snapchat, Spotify, Telegram, Tesla, TikTok, Tinder, VLC, and Zomato, amongst many others.
In August 2019, Google opened up the GPSRP to cowl all apps in Google Play with at the least 100 million installations, even when they didn’t have their very own vulnerability disclosure or bug bounty program. In July 2019, the rewards have been elevated to a most of $20,000 for distant code execution bugs and $3,000 for bugs that led to the theft of insecure personal information or entry to protected app elements.
Mishaal Rahman / Android Authority
The aim of the Google Play Safety Reward Program was easy: Google needed to make the Play Retailer a safer vacation spot for Android apps. In keeping with the corporate, vulnerability information they collected from this system was used to assist create automated checks that scanned all apps obtainable in Google Play for comparable vulnerabilities. In 2019, Google mentioned these automated checks helped greater than 300,000 builders repair greater than 1,000,000 apps on Google Play. Thus, the downstream impact of the GPSRP is that fewer susceptible apps are distributed to Android customers.
Nonetheless, Google has now determined to wind down the Google Play Safety Reward Program. In an e mail to collaborating builders, akin to Sean Pesce, the corporate introduced that the GPSRP will finish on August thirty first.
The rationale they gave is that this system has seen a lower within the variety of actionable vulnerabilities reported. Google credit this success to the “total enhance within the Android OS safety posture and have hardening efforts.”
The complete e mail despatched to builders is reproduced under:
“Expensive Researchers,
I hope this e mail finds you nicely. I’m writing to precise my honest gratitude to all of you who’ve submitted bugs to the Google Play Safety Reward Program over the previous few years. Your contributions have been invaluable in serving to us to enhance the safety of Android and Google Play.
Because of the general enhance within the Android OS safety posture and have hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the analysis neighborhood. As a result of this lower in actionable vulnerabilities reported, we’re winding down the GPSRP program. The GPSRP program will finish on August thirty first. Any experiences submitted earlier than then can be triaged by September fifteenth. Closing reward selections can be made earlier than September thirtieth when this system is formally discontinued. Closing funds might take a number of weeks to course of.
I wish to guarantee you that your entire experiences can be reviewed and addressed earlier than this system ends. We vastly worth your enter and wish to ensure that any points you could have recognized are resolved.
Thanks once more on your help of the GPSRP program. We hope that you’ll proceed working with us, on packages just like the Android and Google Units Safety Reward Program.
Finest regards,
Tony
On behalf of the Android Safety Crew”
In September of 2018, practically a yr after the GPSRP was introduced, Google mentioned that researchers had reported over 30 vulnerabilities by this system, incomes a mixed bounty of over $100k. Roughly a yr later, in August of 2019, Google mentioned that this system had paid out over $265k in bounties.
So far as we all know, the corporate hasn’t disclosed how a lot they’ve paid out to safety researchers since then, however we’d be shocked if the quantity isn’t notably larger than $265k given how lengthy it’s been for the reason that final disclosure and the variety of fashionable apps within the crosshairs of safety researchers.
Google shutting down this program is a blended bag for customers. On one hand, it implies that fashionable apps have largely gotten their act collectively, however alternatively, it implies that some safety researchers received’t have the inducement to reveal any future vulnerabilities responsibly, particularly if these vulnerabilities impression an app made by a developer who doesn’t run their very own bug bounty program.