Google Play Security Reward Program Rules
Google Play Security Reward Program (GPSRP) is a vulnerability reward program offered by Google Play in collaboration with the developers of certain popular Android apps. It recognizes the contributions of security researchers who invest their time and effort in helping make apps on Google Play more secure.
The goal of the program is to identify and mitigate vulnerabilities in apps on Google Play, and keep Android users, developers and the Google Play ecosystem safe.
If you're an app developer that would like to learn more about working directly with external security researchers, please apply to join GPSRP.
Exposure Notification API and Associated Apps
GPSRP is temporarily introducing the Exposure Notification API and any apps (both first and third party) on Google Play using the Exposure Notification API into scope, as well as any governmental apps on Google Play related to Contact Tracing. If you identify a vulnerability in an app of this nature, please submit the vulnerability details directly to GPSRP. Note that the non-qualifying issues below, at panel discretion, may still qualify for apps in this temporary scope.
Hacker “Cheat Sheet”
GPSRP focuses on identifying vulnerabilities in popular Android apps on Google Play (i.e. with 100 million or more installs, and any apps listed in scope). Please see the rules and reward criteria below for more detail.
To Developer: If an organization has their own public means of receiving vulnerability reports (security@ email address and associated disclosure policy, or a public vulnerability disclosure or bug bounty program), always submit the vulnerability to them first. After the vulnerability is fixed (or if 30 days have passed with no response), you can submit the vulnerability details to GPSRP.
To GPSRP: If an organization has no obvious public means of receiving vulnerability reports and the app has 100 million or more installs, you may attempt to disclose the issue to the app developer by submitting the vulnerability directly to GPSRP.
Please review the terms before submitting your report. Google makes no guarantees in terms of our ability to successfully disclose the issue to the affected app developer. If the issue qualifies based on the criteria listed in this policy, it may be eligible for a reward.
A “duplicate” refers to when a vulnerability report is submitted that is very similar or exactly the same as a previously submitted report.
- When duplicates occur, only the first report that was received is awarded (provided that it can be fully reproduced).
- Very similar issues in one or more apps by the same developer may be considered as duplicates of the first report submitted (e.g. a vulnerability with a single root cause present in multiple activities).
SDK and library vulnerabilities
- If you have identified a vulnerability in an SDK or library used by an app developer (but not developed by the app developer), please submit it directly to the maintainer of the affected SDK or library. If this is not possible and you submit a report on a vulnerable app due to an SDK or library they are using, please note that SDK and library vulnerabilities will only receive a single payout at 2x the normal reward amount (e.g. a $3k issue would be worth $6k) to reflect the additional impact of these types of bugs.
- If multiple reports of the same SDK or library vulnerability are received, even across different apps, they will be considered duplicates of the earliest report submission due to having the same root cause.
- The SDK or library must be in use by multiple organizations. Code that is shared across multiple apps by the same parent organization will not be eligible for the SDK/library bonus.
- If you are submitting a bonus reward claim for a fixed issue you’ve reported to an app developer, only issues that have been patched within 90 days of report submission to GPSRP will qualify.
- Reports must contain the information requested in the submission form. Reports not containing the required information and not meeting the criteria for this program will not be eligible for a reward.
- When duplicates occur, only the first report that was received is awarded (provided that it can be fully reproduced). Please see the hacker cheat sheet for more info on how duplicates are handled.
- We aim to be fair; any and all reward decisions under the Google Play Security Reward Program are ultimately at the discretion of Google. App developers have no control over the Google Play Security Reward Program.
- Any vulnerabilities identified in first party apps should be submitted to the Google VRP, and are subject to the Google VRP program rules.
- Employees of organizations that develop apps are ineligible for rewards for vulnerabilities in apps developed by their organization.
Rewards are based on impact and exploitability. The following table outlines the usual rewards chosen for the most common classes of bugs.
|Category||1) Remote / no user interaction||2) User must follow a link, vulnerable app must be already installed||3) User must install malicious app or victim app is configured in a non-default way||4) Attacker must be on the same network (e.g. MiTM)|
|Arbitrary code execution||$20,000||$10,000||$4,000||$1,000|
|Theft of sensitive data||$5,000||$3,000||$1,000||$500|
The following sections outline the impacts above in more detail.
Arbitrary Code Execution (ACE)
In order to qualify, ACE should allow an attacker to run native ARM code of their choosing on a user’s device without user knowledge or permission, in the same process as the affected app (there is no requirement that the OS sandbox needs to be bypassed).
Examples may include:
- Attacker gaining full control, meaning code can be downloaded from the network and executed
- Overwriting a .so file with a malicious .so file that is executed by the victim app
- Executing Java code in order to call exec and thus run arbitrary native ARM code
Theft of sensitive data
This impact category includes vulnerabilities that lead to unauthorized access to sensitive data from an app on an Android device.
For the scope of this program, sensitive data is classified as:
- Data that results in unauthorized access to a user’s account (e.g. login credentials, authentication tokens that are able to perform sensitive state-changing actions that result in non-trivial damage to the victim).
- Sensitive user-generated data: contact list information, photos (unless made public by default), content of a user’s messages (email, instant messages, text messages), call/SMS logs, web history (being able to profile or enumerate a specific user based on their web history), or browser bookmarks.
- Information that is linked or linkable to an individual, such as medical, educational, financial or payment data, and employment information.
Location information alone does not qualify (unless combined with the ability to uniquely identify an individual).
Access to non-sensitive internal files of another app does not qualify.
Examples of vulnerabilities that result in this impact include, but are not limited to:
- Insecurely stored data files containing sensitive data that are accessible to other apps
- Sensitive data sent over insecure network connections that can be intercepted
- Insecurely designed app internals like content providers or activities that can be manipulated to expose sensitive data
For more information on vulnerability classes, please see this PDF.
- Certain common low-risk vulnerabilities deemed trivially exploitable will not qualify for rewards. A few such issues may be found here.
- Attacks requiring physical access to devices, including physical proximity for Bluetooth.
- Attacks requiring access to accessibility services.
- Destruction of sensitive data.
- Tricking a user into installing a malicious app without READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE permissions that abuses a victim app to gain those permissions.
- Intent or URL Redirection leading to phishing.
- Server-side issues.
- Apps that store media in external storage that is accessible to other apps on the device.
Issues already known to Google (and in the process of being mitigated/ fixed) that can be used to uncover similar vulnerabilities across multiple apps in Google Play Store will be published to the known issues list. Such vulnerabilities are not deemed severe enough to warrant the default reward from Google Play (while still being relevant for the developer to fix), but may still qualify for a smaller reward (listed below).
Theft of sensitive data via:
|Malicious URL input resulting in leaking session information via WebView. E.g. passing malicious URL input to an app that results in the user navigating to an attacker-controlled website, where the app automatically appends cookies or parameter values containing session information to the requests.||$500|
|Theft of sensitive data or code execution via PendingIntent which can only be accessed by a third party application that has been granted the Android “notification” permission. (effective June 1, 2021)||$500|
Only applications developed by Google, by participating developers (in the list below), or with 100 million or more installs are in scope. Only vulnerabilities that work on Android 6.0 devices (with the most up to date patches) and higher will qualify.
For Google-developed Android apps : Please report vulnerabilities through the Google Vulnerability Reward Program or, for Chrome specifically, to the Chrome Reward Program . You can submit a reward claim here after the vulnerability is fixed.
Tier 1 programs have average first response times of less than 1 day, and resolution times of less than or equal to 1 month.
|Organization/Developer||Package Name(s)||Submit vulnerabilities to:|
|Mail.Ru||ru.mail.cloud, ru.mail.auth.totp, ru.mail.mailapp, com.my.mail, ru.mail.calendar||https://hackerone.com/mailru|
|MobiSystems||com.mobisystems.msdict.embedded..., com.mobisystems.fileman, com.mobisystems.office||https://hackerone.com/mobisystems_ltd|
|Spotify||com.spotify.music, com.spotify.tv.android, com.spotify.s4a||https://hackerone.com/spotify|
|Shopify||com.shopify.pos, com.shopify.mobile, com.shopify.pos.customerview||https://hackerone.com/shopify|
|Verily||com.verily.daybreak.nightlight, com.google.android.apps.baselinestudy, com.verily.myalo.scaleit||https://www.google.com/about/appsecurity/reward-program/|
|VK.com (V Kontakte LLC)||com.vkontakte.android, com.vk.admin, com.vk.quiz||https://hackerone.com/vkcom|
Tier 2 programs have average first response times of less than or equal to 1 day, and/or triage times of less than or equal to 5 days, and/or resolution times of less than or equal to 3 months.
|Organization/Developer||Package Name(s)||Submit vulnerabilities to:|
|Grab||com.grab.food.dax, com.grabtaxi.passenger, com.grabtaxi.driver2||https://hackerone.com/grab|
|PayPal Inc.||com.paypal.android.p2pmobile, com.paypal.here, com.paypal.merchant.client, com.xoom.android.app, com.venmo||https://hackerone.com/paypal|
Tier 3 programs either do not meet the criteria for tier 2 or above, or do not publicly display metrics around time to first response, time to triage, or time to resolution.
|Organization/Developer||Package Name(s)||Submit vulnerabilities to:|
|8bit Solutions LLCemail@example.com|
|Coinbase||com.coinbase.android, org.toshi, com.coinbase.pro||https://hackerone.com/coinbase|
|com.facebook.katana, com.facebook.orca, com.instagram.android, com.whatsapp||https://www.facebook.com/whitehat/report/|
|Language Drops||com.languagedrops.drops.international, firstname.lastname@example.org|
|Ok.Ru||ru.ok.android, ru.ok.messages, ru.ok.live||https://hackerone.com/ok|
|Opera||com.opera.browser, com.opera.mini.native, com.opera.touch, com.opera.app.news, com.opera.app.newslite||https://security.opera.com/report-security-issue/|
|Quvideo Inc||com.quvideo.xiaoying, email@example.com|
|Telegram Messenger LLPfirstname.lastname@example.org|
|Yandex LLC||ru.yandex.disk, ru.yandex.taxi, ru.yandex.metro, ru.yandex.music, ru.yandex.mail, ru.yandex.weatherplugin, ru.yandex.searchplugin, ru.yandex.yandexmaps, ru.yandex.market, com.yandex.browser, ru.yandex.yandexnavi||https://yandex.com/bugbounty/report/|
We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries subject to US sanctions. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own. To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.
For Finders who participate in certain programs of particular customers, to the extent described in the Program Policies, Google may share contact information about those hackers Finders (name, company name (if applicable) and email address) with app developers to verify the hacker was the original reporter of an issue, and to allow those app developers to contact those Finders to allow them to interact directly. For any reward claim on a fixed vulnerability, Google will reach out to the affected app developer to confirm your claim and determine if the report is eligible for a reward based on the current vulnerability criteria. If the app developer has a private program, please ask the app developer for permission before submitting a reward claim here.
Thank you for helping improve the security of the Google Play ecosystem!