Google is shutting down its bug bounty program. As reported by Android Authority, the company is sunsetting the Google Play Security Reward Program on Aug. 31. Google will review any reports submitted before that date through Sept. 15, and will officially bring its financial rewards to a close on Sept. 30.
The decision comes almost seven full years after Google initially rolled out the Google Play Security Reward Program. Back in 2017, the company announced the program to offer security researchers an incentive to hunt down bugs and vulnerabilities in Android apps. Those researchers could then share their findings with the apps' developers, so they could patch security gaps as quickly as possible.
This isn't a Google-exclusive idea, either: Plenty of companies offer financial rewards for ethical hackers to find and report vulnerabilities, big or small. No company can catch all the bugs on their own, so the idea is to outsource some of that work to talented individuals who might see something the company doesn't. In Google's case, their Play Store has millions of apps, so extra eyes are effective.
The program has grown to offer a spread of financial rewards depending on the vulnerability: Google would pay as little as $500 for a report of a flaw that would allow a hacker to break in if they were on the same network as a user, to as much as $20,000 for a vulnerability that would allow a hacker to attack users remotely using arbitrary code execution.
Google says it's winding down the program as there have been "fewer actionable vulnerabilities reported by the research community," which the company attributes this to an increase in Android's built-in security measures. If true, that's certainly good news: Any increase in Google's security policies is a positive, and if they're feeling confident enough in their abilities to eliminate assistance from third parties, perhaps that's a good sign. Google says they have been able to take vulnerability data from these reports to create automated systems that look for these issues in apps without manual intervention.
But this is Google we're talking about. The company hasn't always had the end-user's privacy and security front of mind in every business decision. Even ignoring that, this just feels a bit risky. There are a lot of apps on the Play Store, and many of those developers likely don't have their own systems in place to look out for bugs. Small devs may not spot a serious security vulnerability on their own, and if Google's systems don't catch it, that could affect users.
And it's not just legitimate apps with security flaws you need to watch out for: Malicious apps are discovered on the Play Store all the time. Back in May, we reported on a group of 90 malicious apps that had been installed collectively 5.5 million times. And that's with this program in full effect. Hopefully Google's security protocols are up to snuff, but it's a shame to dismiss ethical hackers who would be hunting for these exact security flaws.
It's now more important than ever to be careful when downloading apps from the Play Store on Android.
Before you download an app, take a critical look at the page: Is the writing full of grammar and spelling issues? Are the images low quality, or seem irrelevant to what the app is selling? Do the reviews look like they could have been written for any generic app, rather than the specific program you're looking at? These are all signs of a malicious app, and you should steer clear.
But keep an eye on other aspects, as well: Look at the privacy report, and evaluate what permissions the app is going to request of you. Even if the app is legitimate, if it requires too much data from you, that's a liability if the app is ever compromised. (There's also no reason many of these apps need such personal information, like your contacts or location.)
Most of all, remember to keep your apps regularly updated. If there are vulnerabilities discovered, developers will patch and update their apps. To routinely check your updates, open the Play Store, tap your profile picture in the top-right, choose Manage apps & device, then Manage. Then update the apps that have available updates.
