Last Updated:
Google says the existing reports will be studied and rewarded.
Google’s reward program helped external researchers to find and report issues with Android and in Play Store and get paid for their efforts.
Google is shutting down its lucrative bug bounty program by the end of August this year. Google has relied heavily on developers to help them find and report bugs in Android that are fixed immediately to stop it from becoming a big issue.
These researchers are even paid for their efforts and sometimes the amount can be in lakhs or crores. The Play Security Reward program was started in 2017 when Google had a hard time managing the issues that plagued Android users and the platform in general. So why is the company shutting down a program that has only helped Android become safer?
Play Rewards Program Shutting Down But Why
The Play Reward Program was set up by Google so that external and third-party security researchers can inspect, discover and report any major security bug that can become a concern for Android users. Google has its own internal security team but extending its wing has paid heavy dividends. The incentive for these researchers have been fruitful as well.
We have come across researchers getting paid in lakhs and crores depending on the severity and urgency of the bug. Play Store hosts millions of Android apps and out of them thousands are considered as top choice among smartphone users with over 100 million installs over the years. Google feels that in recent times the frequency of these bug reports have come down, which has played a big role in its decision to discontinue the program.
Google’s Letter To Researchers On Shutting Down Rewards Program
Here’s the letter that Google has sent out informing the researchers about its decision to end the program by the end of this month.
Dear Researchers,
I hope this email finds you well. I am writing to express my sincere gratitude to all of you who have submitted bugs to the Google Play Security Reward Program over the past few years. Your contributions have been invaluable in helping us to improve the security of Android and Google Play.
As a result of the overall increase in Android OS security posture and feature hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the research community. Due to this decrease in actionable vulnerabilities reported, we are winding down the GPSRP program and it will end on August 31st.
Any reports submitted before then will be triaged by September 15 and the final rewards decisions will be made before September 30 when the program is officially discontinued. Final payments may take a few weeks to process.
I want to assure you that all of your reports will be reviewed and addressed before the program ends. We greatly value your input and want to make sure that any issues you have identified are resolved.
Best regards,
Tony
On behalf of the Android security team
Android continues to face malicious threats even today so we are not sure if shutting down a program that has served well for over 7 years is the right call, unless Google is happy with its internal team who will take the heavy work forward.