Google Play Security Reward Program Rules

Google Play Security Reward Program (GPSRP) is a vulnerability reward program offered by Google Play in collaboration with the developers of certain popular Android apps. It recognizes the contributions of security researchers who invest their time and effort in helping make apps on Google Play more secure.

The goal of the program is to identify and mitigate vulnerabilities in apps on Google Play, and keep Android users, developers and the Google Play ecosystem safe.

If you're an app developer that would like to learn more about working directly with external security researchers, please apply to join GPSRP.

Exposure Notification API and Associated Apps

GPSRP is temporarily introducing the Exposure Notification API and any apps (both first and third party) on Google Play using the Exposure Notification API into scope, as well as any governmental apps on Google Play related to Contact Tracing. If you identify a vulnerability in an app of this nature, please submit the vulnerability details directly to GPSRP. Note that the non-qualifying issues below, at panel discretion, may still qualify for apps in this temporary scope.

Hacker “Cheat Sheet”

GPSRP focuses on identifying vulnerabilities in popular Android apps on Google Play (i.e. with 100 million or more installs, and any apps listed in scope). Please see the rules and reward criteria below for more detail.

Disclosure Process


A “duplicate” refers to when a vulnerability report is submitted that is very similar or exactly the same as a previously submitted report.

SDK and library vulnerabilities

Program Rules

Reward Criteria

Rewards are based on impact and exploitability. The following table outlines the usual rewards chosen for the most common classes of bugs.

Category 1) Remote / no user interaction 2) User must follow a link, vulnerable app must be already installed 3) User must install malicious app or victim app is configured in a non-default way 4) Attacker must be on the same network (e.g. MiTM)
Arbitrary code execution $20,000 $10,000 $4,000 $1,000
Theft of sensitive data $5,000 $3,000 $1,000 $500

The following sections outline the impacts above in more detail.

Arbitrary Code Execution (ACE)

In order to qualify, ACE should allow an attacker to run native ARM code of their choosing on a user’s device without user knowledge or permission, in the same process as the affected app (there is no requirement that the OS sandbox needs to be bypassed).

Examples may include:

Executing arbitrary JavaScript does not qualify. Tricking a user into installing an app and executing code within that app itself does not qualify.

Theft of sensitive data

This impact category includes vulnerabilities that lead to unauthorized access to sensitive data from an app on an Android device.

For the scope of this program, sensitive data is classified as:

Location information alone does not qualify (unless combined with the ability to uniquely identify an individual).

Access to non-sensitive internal files of another app does not qualify.

Examples of vulnerabilities that result in this impact include, but are not limited to:

For more information on vulnerability classes, please see this PDF.

Non-qualifying issues

Known Issues

Issues already known to Google (and in the process of being mitigated/ fixed) that can be used to uncover similar vulnerabilities across multiple apps in Google Play Store will be published to the known issues list. Such vulnerabilities are not deemed severe enough to warrant the default reward from Google Play (while still being relevant for the developer to fix), but may still qualify for a smaller reward (listed below).

Issue Category Reward
Theft of sensitive data via:
  • Malicious URL input
  • Symlinks
  • javascript: URLs
  • file: URLs
  • Javascript interfaces
  • Custom deeplinks loaded in a WebView (E.g. passing malicious URL input to an app's WebView resulting in the app processing a link of this nature or other URL that results in access to sensitive data via a WebView.)
Malicious URL input resulting in leaking session information via WebView. E.g. passing malicious URL input to an app that results in the user navigating to an attacker-controlled website, where the app automatically appends cookies or parameter values containing session information to the requests. $500
Theft of sensitive data or code execution via PendingIntent which can only be accessed by a third party application that has been granted the Android “notification” permission. (effective June 1, 2021) $500


Only applications developed by Google, by participating developers (in the list below), or with 100 million or more installs are in scope. Only vulnerabilities that work on Android 6.0 devices (with the most up to date patches) and higher will qualify.

For Google-developed Android apps : Please report vulnerabilities through the Google Vulnerability Reward Program or, for Chrome specifically, to the Chrome Reward Program . You can submit a reward claim here after the vulnerability is fixed.

Tier 1

Tier 1 programs have average first response times of less than 1 day, and resolution times of less than or equal to 1 month.

Organization/Developer Package Name(s) Submit vulnerabilities to:
Instacart com.instacart.client, com.instacart.shopper
JNJ Mobile
Mail.Ru, ru.mail.auth.totp, ru.mail.mailapp,, ru.mail.calendar
MobiSystems com.mobisystems.msdict.embedded..., com.mobisystems.fileman,
Spotify,, com.spotify.s4a
Shopify com.shopify.pos,, com.shopify.pos.customerview
Verily com.verily.daybreak.nightlight,, com.verily.myalo.scaleit (V Kontakte LLC), com.vk.admin, com.vk.quiz
Zomato com.application.zomato, com.application.zomato.ordering

Tier 2

Tier 2 programs have average first response times of less than or equal to 1 day, and/or triage times of less than or equal to 5 days, and/or resolution times of less than or equal to 3 months.

Organization/Developer Package Name(s) Submit vulnerabilities to:
Dropbox, com.dropbox.paper
Fitbit com.fitbit.FitbitMobile
Grab, com.grabtaxi.passenger, com.grabtaxi.driver2
Livestream com.livestream.livestream
PayPal Inc.,, com.paypal.merchant.client,, com.venmo
Pinterest com.pinterest
Tesla com.teslamotors.tesla

Tier 3

Tier 3 programs either do not meet the criteria for tier 2 or above, or do not publicly display metrics around time to first response, time to triage, or time to resolution.

Organization/Developer Package Name(s) Submit vulnerabilities to:
8bit Solutions LLC com.x8bit.bitwarden
Ayopop com.ayopop
Coinbase, org.toshi, im.delight.letters
Facebook com.facebook.katana, com.facebook.orca,, com.whatsapp
Kingsoft Office cn.wps.moffice_eng
Language Drops, com.languagedrops.drops.scrips.learn.write.alphabet.letters.characters.language.japanese.korean.chinese
Ok.Ru, ru.ok.messages,
Opera com.opera.browser,, com.opera.touch,,
Quvideo Inc com.quvideo.xiaoying, com.quvideo.slideplus
Smule com.smule.singandroid.*
Telegram Messenger LLP org.telegram.messenger
TikTok, com.zhiliaoapp.musically
Tinder com.tinder
VHX tv.vhx.*
VLC org.videolan.vlc
Yandex LLC,,,,,,,,,,
YY Inc com.yy.hiyo

We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries subject to US sanctions. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own. To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.

For Finders who participate in certain programs of particular customers, to the extent described in the Program Policies, Google may share contact information about those hackers Finders (name, company name (if applicable) and email address) with app developers to verify the hacker was the original reporter of an issue, and to allow those app developers to contact those Finders to allow them to interact directly. For any reward claim on a fixed vulnerability, Google will reach out to the affected app developer to confirm your claim and determine if the report is eligible for a reward based on the current vulnerability criteria. If the app developer has a private program, please ask the app developer for permission before submitting a reward claim here.

Thank you for helping improve the security of the Google Play ecosystem!