Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
19/10/2017
Google Play Security Reward Program logo
Thanks
Gift
Hall of Fame
Reward

Reward

In Scope

Scope Type Scope Name
android_application com.livestream.livestream
android_application tv.vhx.*
android_application com.vimeo.android.videoapp
android_application com.application.zomato.ordering
android_application com.languagedrops.drops.scrips.learn.write.alphabet.letters.characters.language.japanese.korean.chinese
android_application com.languagedrops.drops.international
android_application ru.yandex.yandexnavi
android_application com.yandex.browser
android_application com.snapchat.android
android_application com.xoom.android.app
android_application in.sweatco.app
android_application com.my.mail
android_application org.telegram.messenger
android_application com.duolingo
android_application com.dropbox.android
android_application com.shopify.pos.customerview
android_application com.shopify.mobile
android_application com.grabtaxi.passenger
android_application com.grab.food.dax
android_application com.shopify.pos
android_application ru.ok.live
android_application ru.ok.messages
android_application ru.ok.android
android_application ru.yandex.yandexmaps
android_application com.vk.quiz
android_application com.vk.admin
android_application com.ayopop
android_application com.spotify.s4a
android_application com.spotify.music
android_application com.opera.touch
android_application com.opera.mini.native
android_application com.opera.browser
android_application com.application.zomato
android_application com.vkontakte.android
android_application com.venmo
android_application com.paypal.merchant.client
android_application com.paypal.here
android_application com.teslamotors.tesla
android_application im.delight.letters
android_application com.showmax.app
android_application com.irccloud.android
android_application com.x8bit.bitwarden
android_application ru.yandex.market
android_application ru.yandex.searchplugin
android_application ru.yandex.weatherplugin
android_application ru.yandex.mail
android_application ru.yandex.music
android_application ru.yandex.metro
android_application ru.yandex.taxi
android_application ru.yandex.disk
android_application com.duolingo.tinycards
android_application org.videolan.vlc
android_application com.quvideo.slideplus
android_application com.quvideo.xiaoying
android_application com.smule.singandroid.*
android_application com.dropbox.paper
android_application com.grammarly.android.keyboard
android_application com.fitbit.FitbitMobile
android_application com.airbnb.android
android_application ru.mail.mailapp
android_application jp.naver.line.android
android_application ru.mail.auth.totp
android_application ru.mail.cloud
android_application ru.mail.calendar
android_application com.opera.app.news
android_application com.picsart.studio
android_application wps_security@kingsoft.com
android_application me.lyft.android
android_application com.instagram.android
android_application com.facebook.orca
android_application com.facebook.katana
android_application com.priceline.android.negotiator
android_application com.lyft.android.driver
android_application com.pinterest
other com.alibaba.aliexpresshd
other com.tinder
web_application com.spotify.tv.android
web_application https://hackerone.com/paypal
web_application https://hackerone.com/grab
web_application https://hackerone.com/grab
web_application https://hackerone.com/grab
web_application https://hackerone.com/paypal
web_application https://hackerone.com/paypal

Out of Scope

Scope Type Scope Name
android_application com.whatsapp.wallpaper
android_application com.whatsapp.w4b
android_application com.whatsapp
android_application com.instagram.boomerang
android_application com.instagram.layout
android_application com.facebook.mlite

Google Play Security Reward Program

Google Play Security Reward Program (GPSRP) is a bug bounty program offered by Google Play, in collaboration with HackerOne and the developers of certain popular Android apps. It recognizes the contributions of security researchers who invest their time and effort in helping make apps on Google Play more secure.

The goal of the program is to identify and mitigate vulnerabilities in participating apps on Google Play, and keep Android users, developers and the Google Play ecosystem safe.

Developers of Android apps are invited __to join the program to help incentivize security research through the bug bounty model.

Table of Contents

i. How Does it Work?
ii. Program Rules
iii. Vulnerability Criteria & Rewards
iv. Scope
v. Legal Points

How does it work?

At a high level :

  • Developers of Android apps apply __to join the program. Google and HackerOne review and determine eligibility to participate, then the apps are added to the scope of this program.
  • Hacker identifies vulnerability in an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure process.
  • App developer works with the hacker to resolve the vulnerability.
  • Once the vulnerability has been resolved, the hacker can request a payout from the Google Play Security Reward Program. This in addition to the bounty that the app developer may independently offer.

Program Rules

  • All vulnerabilities must always be reported directly to the app developer first. This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer. Only issues that have been patched within the last 90 days will qualify.
  • Only developers who have expressed a commitment to fixing bugs which are disclosed to them have been invited to the program. It is the responsibility of each developer to respond and fix bugs in a timely manner.
  • All reports are subject to HackerOne's disclosure guidelines __.
  • Reports must contain the information requested in the submit report form. Reports not containing the required information and not meeting the criteria for this program will not be eligible for a reward.
  • When duplicates occur, only the first report that was received is awarded (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue reported to same developer (or multiple developers in some cases) will be awarded one reward.
  • We aim to be fair; any and all reward decisions under the Google Play Security Rewards Program are ultimately at the discretion of Google and HackerOne. App developers have no control over the Google Play Security Rewards Program administered by HackerOne.
  • Bounty amounts mentioned are only representative and may be upgraded or downgraded by the decision makers.
  • Some Alphabet branded services hosted in less common domains operated by vendors or partners are out of scope. In addition, Google VRP (not GPSRP) policies __apply when deciding the eligibility of vulnerability reports pertaining to Google developed apps. If in doubt, talk to us first. To allow time for internal review and remediation, apps pertaining to companies acquired by Google are subject to a six-month blackout period. Bugs reported sooner than that will typically not qualify for a reward.

Vulnerability Criteria & Rewards

At this time, the following vulnerabilities qualify for the Google Play Security Reward Program. This list may be expanded in the future to cover more issues.

1) RCE (Remote Code Execution) - $20,000

RCE (Remote Code Execution) vulnerabilities and corresponding POCs (Proof of Concepts) qualify for a $20,000 reward. The RCE vulnerability should allow an attacker to run native ARM code of their choosing on a user’s device without user knowledge or permission.

Examples may include:

  • Attacker gaining full control, meaning code can be downloaded from the network and executed (download and execute arbitrary native ARM code in the same process as the affected app)

Please note, executing arbitrary JavaScript does not qualify for the RCE category.

2) Theft of insecure private data - $3,000

Vulnerabilities and corresponding POCs (Proof of concepts) that lead to theft of private data qualify for a $3,000 reward, based on the following criteria:

  • Vulnerabilities that lead to unauthorized access to personally identifiable information in a way that an attacker can steal them from Android devices with default security settings (e.g. non-rooted).
    • For the scope of this program, personally identifiable information is classified as: login credentials, authentication tokens, names, contact list information, photos and other files from SD card, content of a user email, call log, SMS log, web history, browser bookmarks, and info from private/data/directories of other apps. Please note, location or GPS coordinates alone do not qualify as personally identifiable information.
    • Examples of this include, but are not limited to:
    • Insecurely stored data files that are accessible to other apps
    • Data sent over insecure network connections that can be intercepted
    • Insecurely designed app internals like content providers or activities that can be manipulated to expose data
  • Vulnerabilities that result in the ability to easily phish a user without user interaction, e.g. causing a WebView or other interface to become visible to the user without any user interaction, running in the same process as the affected app, and that appears to be within the same interface as the victim app. Please note URL or intent redirections of this nature will be moved entirely out of scope on October 16, 2019. Reports submitted to hackerone.com/googleplay on or after October 16, 2019 will not be eligible for a reward.

Additionally, vulnerabilities that result in unauthorized destruction of sensitive user data listed above may also qualify (e.g. deleting a user’s account).

Note: To qualify for a reward, the data theft must occur either through MITM of the network or a hostile app installed on the same device. If a hardcoded key or secret is found within the app that provides access to sensitive data types listed above, this may also count.

3) Access to protected app components - $3,000

Vulnerabilities and corresponding PoCs (Proof of Concepts) where an app component processes a passed Intent (e.g. from startActivity, sendBroadcast, startService, or bindService) from another app without properly validating the Intent, resulting in the target app performing an operation that the sending app doesn't have permission to do qualify for a $3,000 reward. The operation in question needs to be security-relevant (e.g. changing sharing settings to provide an attacker unauthorized access to sensitive data, publishing/editing something on behalf of the user without their consent which exposes sensitive data, changing security settings in a way that makes it easier to compromise the user's data or functionality, changing or providing unauthorized access to credentials, etc).

  • Examples of this behavior include, but are not limited to:
    • Allowing an app to send an SMS message if it doesn't have the SEND_SMS permission
    • Bypass a protection (e.g. login form) by directly calling an Activity
    • Manipulating intents to steal auth tokens or run scripts in a web origin not under your control
  • Examples of issues that would not qualify include:
    • Making a GET/POST request, without being able to fool the vulnerable app into doing something dangerous with the returned HTTP payload (e.g. Android APIs are often used for actions like playing a media file by URL)

4) Local code execution - $4,000

Vulnerabilities and corresponding PoCs (Proof of Concepts) where an app processes malicious input from another application on the same device, resulting in code execution on the device (e.g. ARM, Java) will qualify for a $4,000 reward. For example:

  • An app loading and executing arbitrary Java code from a file specified on local storage, where an attacker can combine a file overwrite vulnerability to place Java code of their choosing in a place on the filesystem where the victim app will load and run it

For more information on vulnerability classes, please see this PDF: {F569870}

A note on SDK and library vulnerabilities - if you have identified a vulnerability in an SDK or library used by an app developer (but not maintained by the app developer), please submit it directly to the maintainer of the affected software. If this is not possible and you leverage HackerOne’s Disclosure Assistance as described in the Scope section to submit a report on a vulnerable app due to an SDK or library they are using, please note that SDK and library vulnerabilities will only receive a single payout at 2x the normal reward amount (e.g. a $3k issue would be worth $6k) to reflect the additional impact of these types of bugs. If multiple reports of the same SDK or library vulnerability are received, even across different apps, they will be considered duplicates of the earliest report submission due to having the same root cause.

Non-qualifying issues

Certain common low-risk vulnerabilities deemed trivially exploitable will not qualify for rewards. A few such issues may be found here __. Most common examples include vulnerabilities that result from an uninformed OAuth grant (by the user) to a 3rd party app, or phishing attacks (solely) based on user deception. Attacks requiring physical access to devices are considered out of scope for this program.

Known issues

Issues already known to Google (and in the process of being mitigated/fixed) that can be used to uncover similar vulnerabilities across multiple apps in Google Play Store will be published to the Known issues list. Such vulnerabilities are not deemed severe enough to warrant the default reward from Google Play (while still being relevant for the developer to fix - and pay, where applicable), but may qualify for a smaller bounty (listed below).

Issue Category | Reward (Issued by GPSRP)
---|---
MITM attacks over insecure connections (not including sensitive data sent over HTTP) | $500
Unprotected link handlers (moving entirely out of scope on October 16, 2019) | $500
Intent or URL Redirection leading to phishing (moving entirely out of scope on October 16, 2019) | $500

Additional criteria

There is no requirement that OS sandbox needs to be bypassed.

Scope

Only Google developed applications and those developed by participating developers (in the list below) are in scope to be considered for a bounty. Only vulnerabilities that work on Android 5.0 devices and higher will qualify.

  • For Google-developed Android apps : Please report vulnerabilities through the Google Vulnerability Reward Program __or, for Chrome specifically, to the Chrome Reward Program. There is no need to submit vulnerabilities again to the Google Play Security Reward Program. Please check the Program Rules section to learn about exclusions.
  • For rest of the apps : All vulnerabilities must be reported directly to the app developer first through the listed channel. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer. Additionally, only issues that have been patched within the last 90 days will qualify for a reward from Google Play. If you wait longer than 90 days from a fix being made publicly available, your report will not qualify!

Hackers - if you have general feedback based on your experience with GPSRP and participating app developers, please submit it here __. If you need assistance with a specific app developer, please submit a GPSRP mediation request __.

App developers - if you feel you are in the incorrect tier, please contact gpsrp[@]google.com. These average stats are updated periodically based on publicly accessible metrics.

Tier 1

Tier 1 programs have average first response times of < 1 day, and resolution times of <= 1 month.

Organization/Developer | Package Name | Submit vulnerabilities to:
---|---|---
Grammarly | com.grammarly.android.keyboard | https://hackerone.com/grammarly
Livestream | com.livestream.livestream | https://hackerone.com/livestream
Priceline | com.priceline.android.negotiator | https://hackerone.com/priceline
Shopify | com.shopify.pos, com.shopify.mobile, com.shopify.pos.customerview | https://hackerone.com/shopify
Showmax | com.showmax.app | https://tech.showmax.com/security/ __
Spotify | com.spotify.music, com.spotify.tv.android, com.spotify.s4a | https://hackerone.com/spotify
Sweatcoin | in.sweatco.app | https://hackerone.com/sweatco_ltd
Zomato | com.application.zomato, com.application.zomato.ordering | https://hackerone.com/zomato

Tier 2

Tier 2 programs have average first response times of <= 1 day, and/or triage times of <= 5 days, and/or resolution times of <= 3 months.

Organization/Developer | Package Name | Submit vulnerabilities to:
---|---|---
Airbnb | com.airbnb.android | https://hackerone.com/airbnb
Dropbox | com.dropbox.android, com.dropbox.paper | https://hackerone.com/dropbox
Fitbit | com.fitbit.FitbitMobile | https://www.fitbit.com/bugbounty __
Grab | com.grab.food.dax, com.grabtaxi.passenger, com.grabtaxi.driver2 | https://hackerone.com/grab
Lyft | me.lyft.android, com.lyft.android.driver | https://www.lyft.com/security __
Mail.Ru | ru.mail.cloud, ru.mail.auth.totp, ru.mail.mailapp, com.my.mail, ru.mail.calendar | https://hackerone.com/mailru
PayPal Inc. | com.paypal.android.p2pmobile, com.paypal.here, com.paypal.merchant.client, com.xoom.android.app, com.venmo | https://hackerone.com/paypal
Pinterest | com.pinterest | https://bugcrowd.com/pinterest __
Snapchat | com.snapchat.android | https://hackerone.com/snapchat
Tesla | com.teslamotors.tesla | https://bugcrowd.com/tesla __
Vimeo | com.vimeo.android.videoapp | https://hackerone.com/vimeo

Tier 3

Tier 3 programs either do not meet the criteria for tier 2 or above, or do not publicly display metrics around time to first response, time to triage, or time to resolution.

Organization/Developer | Package Name | Submit vulnerabilities to:
---|---|---
8bit Solutions LLC | com.x8bit.bitwarden | security@bitwarden.com
Alibaba | com.alibaba.aliexpresshd | https://security.alibaba.com/en/ __
Ayopop | com.ayopop | devops@ayopop.com
delight.im | im.delight.letters | https://hackerone.com/delight_im
Facebook | com.facebook.katana, com.facebook.orca, com.instagram.android | https://www.facebook.com/whitehat/report/ __
IRCCloud | com.irccloud.android | https://hackerone.com/irccloud
Kingsoft Office | cn.wps.moffice_eng | wps_security@kingsoft.com
Language Drops | com.languagedrops.drops.international, com.languagedrops.drops.scrips.learn.write.alphabet.letters... | security@languagedrops.com
Line | jp.naver.line.android | https://bugbounty.linecorp.com/ __
Ok.Ru | ru.ok.android, ru.ok.messages, ru.ok.live | https://hackerone.com/ok
Opera | com.opera.browser, com.opera.mini.native, com.opera.touch, com.opera.app.news | https://security.opera.com/report-security-issue/ __
PicsArt | com.picsart.studio | security@picsart.com
Quvideo Inc | com.quvideo.xiaoying, com.quvideo.slideplus | googlesecurity@quvideo.com
Smule | com.smule.singandroid. | android-security@smule.com
Telegram Messenger LLP | org.telegram.messenger | security@telegram.org
Tinder | com.tinder | https://www.gotinder.com/security __
VHX | tv.vhx.
| hackerone.com/vhx
VK.com (V Kontakte LLC) | com.vkontakte.android, com.vk.admin, com.vk.quiz | https://hackerone.com/vkcom
VLC | org.videolan.vlc | https://www.videolan.org/security/ __
Yandex LLC | ru.yandex.disk, ru.yandex.taxi, ru.yandex.metro, ru.yandex.music, ru.yandex.mail, ru.yandex.weatherplugin, ru.yandex.searchplugin, ru.yandex.yandexmaps, ru.yandex.market, com.yandex.browser, ru.yandex.yandexnavi | https://yandex.com/bugbounty/report/ __

Over time, additional apps may come into scope, so please check back regularly.

For Finders who participate in certain programs of particular customers, to the extent described in the Program Policies, HackerOne may share contact information about those Finders (name, company name (if applicable) and email address) to allow those Customers to contact those Finders to allow them to interact directly.

If you believe you’ve identified a vulnerability in a Play app not listed in scope, please disclose the vulnerability directly to the app developer. If the app developer is unresponsive or does not have a means of receiving vulnerability reports, and the app has over 100 million installs (as indicated on the Google Play Store), you may attempt to disclose the issue to the app developer via HackerOne’s Disclosure Assistance service here: hackerone.com/disclosure-assistance. Google makes no guarantees in terms of the ability of HackerOne or Google to successfully disclose the issue to the affected app developer. If the issue qualifies based on the criteria listed in this policy, it may be eligible for a reward.

If an app developer has a publicly facing vulnerability disclosure or bug bounty program, you can submit a reward claim to this program (as you would for the apps specifically listed in scope) as long as the developer has already confirmed that the vulnerability has been fixed in the last 90 days. The application must have over 100 million installs (as indicated on the Google Play store).

Google will reach out to the affected app developer to confirm your claim and determine if the report is eligible for a reward based on the current vulnerability criteria. If the app developer has a private program, please ask the app developer for permission before submitting a reward claim here.

Legal Points

We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries subject to US sanctions. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own. To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.

Thank you for helping improve the security of the Google Play ecosystem!

FireBounty © 2015-2019

Legal notices