Google Play will not pay to find vulnerabilities in widespread Android apps

Safety vulnerabilities are lurking in a lot of the apps you employ on a day-to-day foundation; there’s simply no approach for many firms to preemptively repair each doable safety subject due to human error, deadlines, lack of sources, and a large number of different elements. That’s why many organizations run bug bounty packages to get exterior assist with fixing these points. The Google Play Safety Reward Program (GPSRP) is an instance of a bug bounty program that paid safety researchers to seek out vulnerabilities in widespread Android apps, but it surely’s being shut down later this month.

Google introduced the Google Play Safety Reward Program again in October 2017 as a option to incentivize safety searchers to seek out and, most significantly, responsibly disclose vulnerabilities in widespread Android apps distributed by means of the Google Play Retailer.

When the GPSRP first launched, it was restricted to a choose variety of builders who have been solely allowed to submit eligible vulnerabilities that affected functions from a small variety of collaborating builders. Eligible vulnerabilities embrace people who result in distant code execution or theft of insecure personal knowledge, with payouts initially reaching a most of $5,000 for vulnerabilities of the previous kind and $1,000 for the latter kind.

Through the years, the scope of the Google Play Safety Reward Program program expanded to cowl builders of a number of the largest Android apps corresponding to Airbnb, Alibaba, Amazon, Dropbox, Fb, Grammarly, Instacart, Line, Lyft, Opera, Paypal, Pinterest, Shopify, Snapchat, Spotify, Telegram, Tesla, TikTok, Tinder, VLC, and Zomato, amongst many others.

In August 2019, Google opened up the GPSRP to cowl all apps in Google Play with not less than 100 million installations, even when they didn’t have their very own vulnerability disclosure or bug bounty program. In July 2019, the rewards have been elevated to a most of $20,000 for distant code execution bugs and $3,000 for bugs that led to the theft of insecure personal knowledge or entry to protected app parts.

The aim of the Google Play Safety Reward Program was easy: Google wished to make the Play Retailer a safer vacation spot for Android apps. In accordance with the corporate, vulnerability knowledge they collected from this system was used to assist create automated checks that scanned all apps accessible in Google Play for related vulnerabilities. In 2019, Google stated these automated checks helped greater than 300,000 builders repair greater than 1,000,000 apps on Google Play. Thus, the downstream impact of the GPSRP is that fewer weak apps are distributed to Android customers.

Nonetheless, Google has now determined to wind down the Google Play Safety Reward Program. In an e-mail to collaborating builders, corresponding to Sean Pesce, the corporate introduced that the GPSRP will finish on August thirty first.

The rationale they gave is that this system has seen a lower within the variety of actionable vulnerabilities reported. Google credit this success to the “total enhance within the Android OS safety posture and have hardening efforts.”

The complete e-mail despatched to builders is reproduced under:

“Expensive Researchers,

 

I hope this e-mail finds you properly. I’m writing to specific my honest gratitude to all of you who’ve submitted bugs to the Google Play Safety Reward Program over the previous few years. Your contributions have been invaluable in serving to us to enhance the safety of Android and Google Play.

 

Because of the general enhance within the Android OS safety posture and have hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the analysis neighborhood. As a consequence of this lower in actionable vulnerabilities reported, we’re winding down the GPSRP program. The GPSRP program will finish on August thirty first. Any stories submitted earlier than then shall be triaged by September fifteenth. Closing reward selections shall be made earlier than September thirtieth when this system is formally discontinued. Closing funds might take just a few weeks to course of.

 

I wish to guarantee you that all your stories shall be reviewed and addressed earlier than this system ends. We significantly worth your enter and wish to guarantee that any points you may have recognized are resolved.

 

Thanks once more to your assist of the GPSRP program. We hope that you’ll proceed working with us, on packages just like the Android and Google Gadgets Safety Reward Program.

 

Finest regards,

Tony

On behalf of the Android Safety Staff”

In September of 2018, practically a yr after the GPSRP was introduced, Google stated that researchers had reported over 30 vulnerabilities by means of this system, incomes a mixed bounty of over $100k. Roughly a yr later, in August of 2019, Google stated that this system had paid out over $265k in bounties.

So far as we all know, the corporate hasn’t disclosed how a lot they’ve paid out to safety researchers since then, however we’d be stunned if the quantity isn’t notably increased than $265k given how lengthy it’s been because the final disclosure and the variety of widespread apps within the crosshairs of safety researchers.

Google shutting down this program is a blended bag for customers. On one hand, it implies that widespread apps have largely gotten their act collectively, however however, it implies that some safety researchers gained’t have the inducement to reveal any future vulnerabilities responsibly, particularly if these vulnerabilities affect an app made by a developer who doesn’t run their very own bug bounty program.