Google Play bug bounty program to shutter by month's end


Bug bounty hunters looking to cash in by identifying flaws in the millions of downloadable apps offered in the Google Play store have less than two weeks to enter their submissions.

The tech behemoth announced on its Google Bug Hunters website Monday that the program would not be accepting new submissions after August 31st due to its planned ending.

Google’s Bug Bounty program was created to reward white-hat hackers who find and report security vulnerabilities for various Google-owned products in exchange for monetary payments and street cred in the bug-hunting community.

ADVERTISEMENT

The two bounty programs under the Play umbrella affected include the Google Play Security Reward Program (GPSRP) for reporting security flaws and the Developer Data Protection Reward Program (DDPRP) which reports data abuse.

Both programs are said to be officially ending on September 30th, 2024, and “will close for submissions of new reports on August 31st.”

Monetary rewards under the programs ranged from $500 for identifying apps that steal sensitive user data to a $20,000 reward for identifying apps vulnerable to ‘arbitrary remote code execution.’

Products included in the bug bounty program are any Google or Alphabet (Bet) subsidiary hardware, software, or web service, covering the entire Google Play ecosystem found on Android OS.

The Google Play Security Reward Program, first started in 2017, encouraged hunters to identify and mitigate security vulnerabilities in apps found on Google Play – which as of April, was listed as 3.3 million, according to mobile app consulting firm Appinventiv.

By contrast, DDPRP researchers are told to look for apps that violate data program policies and potentially put user data at risk.

Google said it was discontinuing the GPSRP program ‘due to a decrease in actionable vulnerabilities reported by security researchers,’ according to Android Authority who first reported the story.

The program covers all “popular Android applications, Chrome extensions, and applications leveraging the Google API.” said Google.

ADVERTISEMENT

Google noted that final payments for both programs could take a few weeks to process for August submissions.

Google’s overall Vulnerability Reward Program (VRP) – which also covers Google Cloud and, most recently, Gemini AI – has been running since 2010 as a way to “recognize the contributions of security researchers who invest their time and effort… helping us keep our users safe.”

VRP has handed out over $45.2 million in rewards to almost 3,000 paid bug hunters and rewarded over 15,000 individuals since its inception, Google reports.