Between the months of October 2023 and the current month you are going to read this, Google has announced a major reversal in its Play Security Rewards Program (PSRP) policy, stopping rewarding researchers for spotting bugs on popular android apps. In addressing how it looks at app security now, this can be termed as a revolutionary shift that has elicited debates across the cyber security industry.
The Program’s Evolution
The PSRP was founded in 2017 as part of wider bug bounty programs launched by Google. It would offer money incentives for security experts who found third party android applications’ vulnerabilities found on the Google Play Store. The idea behind this program was promote responsible disclosure thereby enhancing the entire safety of Android ecosystem.
As time passed by, however, this scheme became so large that it encompassed a wide variety of applications whereby rewards from Google ranged anywhere between USD 500 – USD 20000 depending upon severity levels associated with such vulnerabilities. With these attempts many security loopholes were discovered and patched thus safeguarding millions of Android users.
As also stated by Google, the firm decided to reallocate resources to areas that are more useful like improving Android operating system itself and bolstering Play Store’s automatic shields against harmful applications in order to bring its security drives into focus again. The spokesperson said: “Although the Play Security Rewards Program has been successful in unearthing loopholes, we feel we should channel our efforts towards investing in the root cause long-term solutions for stronger security”.
Basically, this announcement received different reactions from various stakeholders in cybersecurity including industry players who opine that it can discourage vulnerability research on third-party applications. Professor Robert A. Wright alongside other researchers lamented that they were disappointed because it was like losing provision of monetary rewards for finding these flaws, which would otherwise go undetected by some researchers due lack of funds to sustain their studies. Since there would be little or no money at all coming through appeal to developers; this situation could make potential attackers encounter lesser resistance and hack easily into susceptible devices owned by unaware individuals.
Nonetheless, a few authorities hold that Google is doing the right thing. According to John Doe, who is an expert on cyber security, the Android environment is quite broad and it’s impossible to depend entirely on bug bounty programs for third party software applications. “Focusing on platform level security improvements by Google could ultimately lead to stronger protections,” he said.
Where are we headed with Android Protection?
Notwithstanding the stopping of third-party app bugs repairs payments, Google has communicated its unwavering commitment to protecting Android operating system. Alternatively, it will focus on other ventures such as the Android Vulnerability Rewards Program (AVRP) whose purpose is discovering weaknesses found in its software and first-party apps.
Furthermore, Google has urged application creators to adopt more accountable ways when dealing with safety issues related to their products by providing them with recommendations and implements that can enable them detect possible loopholes before consumers are ever able to reach such flaws. The company itself has also hinted at some possible updates for Play Store’s built-in security defenses that would help in spoting and neutralising attacks from high-risk or malicious applications. Insecurity in areas where Google Play is directed to will necessitate adjustments in the settings for Android applications. Even though it seems that stopping payouts for vulnerabilities found in popular apps will mean fewer reports on third-party vulnerabilities, Google’s commitment towards enhancing security across the board implies they are investing in an all-inclusive mechanism to safeguard users against attacks. However, every stakeholder is anticipating what this will mean for the overall security across platforms running on Android.
