Google is ending the Play Store security reward program

News
By
last updated

Google just dropped a bomb on security researchers: no more Play Store bug bounties.

The Google Play Logo on stage at an event in NYC
(Image credit: Nicholas Sutrich / Android Central)

What you need to know

  • Launched in 2017, the Google Play Security Program will no longer be functional after August 31.
  • However, researchers can still submit security reports, which will be addressed until September 30.
  • Google cites a "decrease in actionable vulnerabilities reported" as the reason for its discontinuation.

Updated 4:00pm ET with new comments from Google.

After seven successful years, Google’s Play Security Reward Program is ending on August 31. The company recently let developers know about the decision via email.

The program paid developers who found and disclosed vulnerabilities in Android apps, explained Mishaal Rahman at Android Authority. The program, which was fairly unique, has "achieved its goals," a Google spokesman told Android Authority.

"We greatly appreciate the security research community that helps keep Android users safe. The Google Play Security Reward Program (GPSRP) was the first program of its type to pay a bonus reward in addition to any applicable developer vulnerability reward programs. Launched to encourage app developers to establish their own security programs, GPSRP has achieved its goal after 7 years."

For the uninitiated, Google kicked off the program in 2017 to encourage developers and security researchers to find vulnerabilities in Google’s websites, apps, Chrome and Chrome OS, and Pixel devices. Researchers who spotted and reported issues were rewarded with cash from Google Play.

Though it did boost Android and Google Play security, the system is no longer necessary, Google told us. "As a result of our advancements in Android security features and OS hardening, we’ve seen fewer actionable vulnerabilities reported to the GPSRP program by the research community. Due to this decrease in actionable vulnerabilities reported, we are winding down the program."

"We encourage researchers to work directly with application developers should they discover potential security vulnerabilities," he added.

GPSRP discontinue email

(Image credit: Mishaal Rahman/ via Android Authority)

As mentioned, the program will end on August 31; however, reports submitted before that period will be triaged by September 15, and final reward decisions are expected to be made before September 30. After that, the program will be "officially discontinued," the Android security team notes in the email.

The GPSRP was an extra step to gather vulnerability data and create automated checks. These checks would be applied to all Android apps on the Play Store to check for similar vulnerabilities and make the app store safer, even though Google already has its own set of measures to keep the Play Store safe for those many apps. Either way, it is about to end—for better or worse.

Vishnu Sarangapurkar
Vishnu Sarangapurkar
News Writer

Vishnu works as a freelance News Writer for Android Central. For the past four years, he's been writing about consumer technology, primarily involving smartphones, laptops, and every other gizmo connected to the Internet. When he is away from keyboard, you can see him going on a long drive or chilling on a couch binge-watching some crime series.