App developers such as Facebook, Microsoft, or Twitter, which have their private bug bounty programs are not excluded from the GPSRP.
Google said app developers could submit the same bug reports via the GPSRP, and then on those companies private bug bounty programs, and receive a reward for the same bug twice.
Google recently increased app bug rewards
Google launched the GPSRP in 2017. In the program's first three years, bug hunters could earn up to $5,000 for remote code execution bugs, or up to $1,000 for bugs that resulted in the theft of private data, or access to an app's protected components.
But despite Google offering to pay for bugs in non-Google apps, the program never caught on, as security researchers tended to drift towards Google's other bug bounty programs. To date, the GPSRP has only paid security researchers just over $265,000 in bounties, a fraction of the millions of dollars Google has paid through its other bug bounty programs.
Last month, in an attempt to boost participation in the program, Google increased payouts for the aforementioned bugs to $20,000 for RCEs, and $3,000 for the other two.
Furthermore, while initially only a small subset of popular apps was included in the GPSRP (manually selected by Google), starting today, any Android app or game that has passed the 100 million download mark is automatically eligible, making the company's Play Store bug bounty program even more attractive than before.
Google has been repurposing Android app bug reports
In addition, even if at first glance it appears that Google is paying for bug fixes in third-party apps out of its pocket, the company said there's a tangible benefit and a method to its madness.
The Android OS maker said that past vulnerability reports it has been receiving in the previous three years through the GPSRP haven't gone to waste. All bug reports have been cataloged and included in a system that automatically scans other Play Store apps for the same issues.
If other apps are found to be vulnerable to a bug reported via the GPSRP, those app developers receive alerts in their Google Play Console to fix the issues or have their apps removed from the Play Store.