GPSRP pays researchers for reporting abusiv google playstore apps

GPSRP pays researchers for reporting abusiv google playstore apps

Adam Bacchus, Sebastian Porst, and Patrick Mutchler  of the  Android Security & Privacy Team, announced great news of a upcoming data protection and privacy reward program. This week google extends the scope of GPSRP to include all apps in Google Play with 100 million or more installations. These apps can now be rewarded even if the app developers (3rd party) don't have their own vulnerability or bug bounty program.

The GPSRP program, which was originally launched about 1 year ago, is still limited to reporting vulnerabilities only in very popular Android apps in the Google Play Store. Many of them have their own products.

What is a bit confusing here is that the previous apps were also interesting for general security checks, but the focus of Google as a company was mostly only on its own products. Here personal responsibility is suggested, but whether this is the truth or only the data protectors of the future with lawsuits to deter is still in the stars.

With the latest announcement, Google will now work with developers of hundreds of thousands of Android apps, each with at least 100 million downloads, to help them implement vulnerability reports and patch instructions.

As part of Google's App Security Improvement (ASI) program, the existing initiative has already helped over 300,000 developers install more than 1,000,000,000 apps on the Google Play Store. For years, researchers or detectors have not been paid for these apps, even though Google has demonstrably derived benefits such as added value free of charge. This has annoyed the security community most about bug bounties and responsible disclosure, as these findings should have been made long before. Due to the threat of sanctions in the EU and a growing user awareness around data protection, large companies are forced to behave like this in the long run. The same behavior can be observed on Facebook, which only reacts with the same measures after massive damage has occurred.


Rate this article: 
Average: 5 (1 vote)


gsec could have done that already years ago.

Add new comment

Plain text

  • No HTML tags allowed.