Google to wind down app store bug bounty | CyberScoop<\/title> <meta name=\"description\" content=\"The tech giant says it is receiving fewer vulnerabilities and that security improvements have resulted in a more secure Android ecosystem. \"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/google-play-store-bug-bounty-shut-down-gpsrp\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Google to wind down app store bug bounty \"> <meta property=\"og:description\" content=\"The tech giant says it is receiving fewer vulnerabilities and that security improvements have resulted in a more secure Android ecosystem. \"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/google-play-store-bug-bounty-shut-down-gpsrp\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-08-20T21:50:11+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1283\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1721926675g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1723570311g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1724182109g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/81447\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=81447\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgoogle-play-store-bug-bounty-shut-down-gpsrp%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fgoogle-play-store-bug-bounty-shut-down-gpsrp%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-81447 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/google-play-store-bug-bounty-shut-down-gpsrp\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.952380952381\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2024 CyberScoop 50 awards! <\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/vote\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.195749440716\">\n<div class=\"single-article__header-content\" readability=\"29.787610619469\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The tech giant says it is receiving fewer vulnerabilities and that security improvements have resulted in a more secure Android ecosystem. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"428\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty.jpg?resize=640%2C428&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=768,513 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=1024,684 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=1536,1026 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=600,401 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=251,168 251w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=504,337 504w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=1010,675 1010w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-2.jpg?resize=1262,843 1262w\" sizes=\"(max-width: 1010px) 100vw, 1010px\"><figcaption> A picture taken on September 21, 2016 shows a statue donated by Google during its inauguration in Montelimar, as Google decided to launch a new version of the android operating system. (JEFF PACHOUD\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"43.692142088267\"><body readability=\"87.821753986333\"><\/p>\n<p>Google is winding down a bug bounty program that provides a financial reward to hackers who discover and submit evidence of vulnerabilities in highly popular applications, a move prompted by a diminishing number of vulnerabilities submitted to the program, a Google spokesperson told CyberScoop Tuesday.<\/p>\n<p>Introduced in 2017, the Google Play Security Reward Program was designed to incentivize the identification of vulnerabilities in apps available for download in the <a href=\"https:\/\/play.google.com\/store\/games?pli=1\">Google Play Store<\/a>, the most used app market in the world, with billions of apps and games available and more than 113 billion apps and games downloaded in 2023, <a href=\"https:\/\/www.businessofapps.com\/data\/google-play-statistics\/\">according to some estimates<\/a>.<\/p>\n<p>Seven years later, the program \u201chas achieved its goal\u201d of encouraging app developers to establish their own security programs, and therefore the company feels comfortable winding down the vulnerability reporting program, a Google spokesperson said. <\/p>\n<p>The program focuses on widely used applications developed by Google, such as the mobile application for Gmail and the Fitbit app, along with a host of other <a href=\"https:\/\/bughunters.google.com\/about\/rules\/android-friends\/5604090422493184\/google-play-security-reward-program-rules#opted-in-organizations-and-developers\">widely popular apps<\/a>. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The company notified researchers of the decision in an email in recent days, writing that because of \u201cthe overall increase in Android OS security posture and feature hardening efforts, we\u2019ve seen fewer vulnerabilities reported by the research community.\u201d<\/p>\n<p>The program will end Aug. 31, and any reports submitted before then will be triaged by Sept. 15, the company said, with final reward decisions made before Sept. 30, \u201cwhen the program is officially discontinued.\u201d<\/p>\n<p>\u201cRIP GPSRP,\u201d Sean Pesce, an information security researcher, <a href=\"https:\/\/x.com\/SeanPesce\/status\/1824400006746394648\">posted to X on Aug. 16<\/a> when he shared the Android Security Team email. \u201cAndroid hacking just got a lot less lucrative.\u201d<\/p>\n<p>Mathias Payer, a computer security researcher at Switzerland\u2019s \u00c9cole Polytechnique F\u00e9d\u00e9rale de Lausanne, told CyberScoop that it\u2019s \u201ca tough situation\u201d given that Google makes \u201csubstantial money\u201d on its app store,and the bug bounty program allowed it to \u201cprotect their customers at large.\u201d<\/p>\n<p>\u201cOn the other hand, these large companies that run their app on the Google platform could be running bug bounty platforms themselves,\u201d Payer added in an email. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Payer said that some companies selling apps via the Google Play store may have the resources to run their own bug bounty programs, the decision to shut down Google\u2019s bounty program removes an important feature of its security ecosystem. <\/p>\n<p>\u201cIn an ideal world, both sides would work openly with security researchers to protect their systems both through a bug bounty platform but also by investing into active security,\u201d he said. <\/p>\n<p>\u201cWe greatly appreciate the security research community that helps keep Android users safe,\u201d the Google spokesperson told CyberScoop, adding that the GPSRP \u201cwas the first program of its type to pay a bonus reward in addition to any applicable developer vulnerability reward programs.\u201d <\/p>\n<p>But, given what the company described as advancements in its security features and operating system hardening, there have been fewer \u201cactionable vulnerabilities reported\u201d to the program. <\/p>\n<p>The spokesperson did not respond to a question about why the company would not simply keep the program running, even with reduced staffing or resources. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWe encourage researchers to work directly with application developers should they discover potential security vulnerabilities,\u201d the spokesperson said. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.3300492610837\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/google-to-wind-down-app-store-bug-bounty-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/google-play-store-bug-bounty-shut-down-gpsrp\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google to wind down app store bug bounty | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2491,2492,78,387,256,310],"tags":[2493,2494,86,391,262,311],"class_list":["post-4958","post","type-post","status-publish","format-standard","hentry","category-android","category-bug-bounty","category-cybersecurity","category-google","category-research","category-technology","tag-android","tag-bug-bounty","tag-cybersecurity","tag-google","tag-research","tag-technology"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/android\/\" rel=\"category tag\">Android<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bug-bounty\/\" rel=\"category tag\">bug bounty<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a>","tag_info":"Technology","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4958"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4958\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":4958,"date":"2024-08-20T16:50:11","date_gmt":"2024-08-20T21:50:11","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=81447"},"modified":"2024-08-20T16:50:11","modified_gmt":"2024-08-20T21:50:11","slug":"google-to-wind-down-app-store-bug-bounty","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/20\/google-to-wind-down-app-store-bug-bounty\/","title":{"rendered":"Google to wind down app store bug bounty\u00a0"},"content":{"rendered":"