Google Play Will No Longer Pay To Discover Vulnerabilities In Popular Android Apps

Android Authority's Mishaal Rahman reports: Security vulnerabilities are lurking in most of the apps you use on a day-to-day basis; there's just no way for most companies to preemptively fix every possible security issue because of human error, deadlines, lack of resources, and a multitude of other factors. That's why many organizations run bug bounty programs to get external help with fixing these issues. The Google Play Security Reward Program (GPSRP) is an example of a bug bounty program that paid security researchers to find vulnerabilities in popular Android apps, but it's being shut down later this month. Google announced the Google Play Security Reward Program back in October 2017 as a way to incentivize security searchers to find and, most importantly, responsibly disclose vulnerabilities in popular Android apps distributed through the Google Play Store. [...]

The purpose of the Google Play Security Reward Program was simple: Google wanted to make the Play Store a more secure destination for Android apps. According to the company, vulnerability data they collected from the program was used to help create automated checks that scanned all apps available in Google Play for similar vulnerabilities. In 2019, Google said these automated checks helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. Thus, the downstream effect of the GPSRP is that fewer vulnerable apps are distributed to Android users.

However, Google has now decided to wind down the Google Play Security Reward Program. In an email to participating developers, such as Sean Pesce, the company announced that the GPSRP will end on August 31st. The reason Google gave is that the program has seen a decrease in the number of actionable vulnerabilities reported. The company credits this success to the "overall increase in the Android OS security posture and feature hardening efforts."

Said in another words:

[williamyf]

We are sick and tired of paying for people finding vulns in App that do not belong to us.

Let the developers implement their own rewards program.

We will save the money thank you very much.

Re:

[Tablizer]

= short-term profits over everything else.

Re:

[gweihir]

Exactly my first thought. This is an incredibly stupid move.

Re:Said in another words:

[usedtobestine]

Ah, it'll be just like the other app stores... The users are getting exactly what they wanted with competing App stores.

Re:

[Seven Spirals]

The reality is that if you have a good exploit, you can get $$$ for it and a lot more than what the vendors usually offer. Intelligence and big-tech will pay you much more for them.

Re:

[omnichad]

That's part one. But there's diminishing returns in finding new security vulnerability prototypes in apps that have already been scanned and fixed repeatedly over the years.

They are probably content with just using this as a scanner, and manually adding patterns that are discovered routinely. They might have a mistaken belief that Gemini will do some of this, but with LLM training it can only find variations of known things - not new things.

Re:

[swillden]

We are sick and tired of paying for people finding vulns in App that do not belong to us.

Let the developers implement their own rewards program.

We will save the money thank you very much.

Nah, it's exactly what the summary said: There are just not very many actionable vulnerabilities being found, mostly because the effort put into hardening the OS has made it very difficult to do much with an app exploit. The number of vulnerability reports is still high, which means that Google has to pay engineers to look at and evaluate every one of them, but the percentage of reports which result in some actual improvement is low.

The way success or failure of a vulnerability reward program (VRP) is e

Insert actual reason here

[jslarve]

Maybe asking for a hack gets more hack than not asking for one? Maybe some "bugs" are really honeypots? Maybe rewarding the bounty hunters adds too much legitimacy to otherwise criminally-minded hacking attempts? Maybe AI has already discovered all of the weaknesses and fixed them. Could have been an experiment, a la Mortimer and Randolph, and somebody got their $1.00.

Re:Insert actual reason here

[Seven Spirals]

None of the above. The 37337 h0x0xrs get more money [reason.com] from big security firms who then bundles them and sells them to intelligence agencies once they're properly weaponized. This isn't a theory, it's now reality.

Re:

[swillden]

None of the above. The 37337 h0x0xrs get more money [reason.com] from big security firms who then bundles them and sells them to intelligence agencies once they're properly weaponized. This isn't a theory, it's now reality.

Not for app exploits, they don't. System, kernel, bootloader, TEE, etc., exploits are worth a lot. Your phrasing kind of implies that this is new, but it's not. Android exploits have been worth big money for over a decade. As Android security has improved the values have been climbing. At this point, Android exploit chains are worth significantly more than iOS exploit chains.

However, lots of researchers strongly prefer to use the aboveboard VRPs even though they pay a little less. Partly this is bec

Re:

[Seven Spirals]

Sounds reasonable. I'll take your word for it. I haven't been active in "security" since I quit going to Def Con and Blackhat around year eight. I was a staffer and a judge for several contests. I left that "scene" precisely because I perceived too many "breakers" and not enough "makers". I got disgusted with the vandal mentality I was seeing and didn't want to be associated with "security people" anymore. I met some great luminaries and smart people, but the ratio in the early 2k's of smart researcher-code

Re:

[swillden]

Most "makers" -- or serious researchers -- don't bother with Def Con or Blackhat, except maybe to party. You can read all of the interesting papers in a day, and if you have questions it's more efficient to reach the author through email.

No payouts makes it expensive!

[Yo,dog!]

Yes, the decision makes no sense... unless any future "bugs" are put there intentionally, to incentivize developers to support Android, in exchange for the wealth of information that can be stolen without users' knowledge. Indeed, the R&D expense to engineer backdoors in such a way that they appear accidental is huge.

Huh?

[backslashdot]

The reason Google gave is that the program has seen a decrease in the number of actionable vulnerabilities reported. The company credits this success to the "overall increase in the Android OS security posture and feature hardening efforts."

Oh ok.. .. hey wait a second ..that makes NO sense. If vulnerabilities aren't being found that means they can INCREASE the reward, not eliminate it.

Re: Huh?

[Embedded2004]

The challenge is you get tons of nonsense that you have to respond too. Researchers all want to publish it as a big bug, etc. wastes tons and tons of time, so painful. Even if you explain why it's not a problem they remain convinced ðYz 90%+ security reports I've seen are non-issues.

Bug bounties no longer make sense

[Ed Tice]

As others have pointed out, the blackmarket price of an exploit is very high. However, many (if not most) people would prefer to sell their bug to a bug bounty program rather than on the black market if for no other reason than not having the skills or connections to do such a thing.

However, the world is now full of "security experts" who run open-source or even commercial tools and open up a ticket with the software vendor for every findings. That's true even if the software vendor uses the exact same t

Dont trust Google Play

[Slashythenkilly]

They want a % and will use their name to get it. That is all and screw the consumer.