Google Play Security Reward Program (GPSRP) is a bug bounty program offered by Google Play, in collaboration with HackerOne and the developers of certain popular Android apps. It recognizes the contributions of security researchers who invest their time and effort in helping make apps on Google Play more secure.
The goal of the program is to identify and mitigate vulnerabilities in participating apps on Google Play, and keep Android users, developers and the Google Play ecosystem safe.
Developers of Android apps are invited __to join the program to help incentivize security research through the bug bounty model.
At a high level :
At this time, the following vulnerabilities qualify for the Google Play Security Reward Program. This list may be expanded in the future to cover more issues.
RCE (Remote Code Execution) vulnerabilities and corresponding POCs (Proof of Concepts) qualify for a $5000 reward. The RCE vulnerability should allow an attacker to run native ARM code of their choosing on a user’s device without user knowledge or permission.
Examples may include:
Vulnerabilities and corresponding POCs (Proof of concepts) that lead to theft of private data qualify for a $1000 reward, based on the following criteria:
Note: To qualify for a reward, the data theft must occur either through MITM of the network or a hostile app installed on the same device.
Vulnerabilities and corresponding PoCs (Proof of Concepts) where an app component processes a passed Intent (e.g. from startActivity, sendBroadcast, startService, or bindService) from another app without properly validating the Intent, resulting in the target app performing an operation that the sending app doesn't have permission to do qualify for a $1000 reward. The operation in question needs to be security-relevant (e.g. changing sharing settings to provide an attacker unauthorized access to sensitive data, publishing/editing something on behalf of the user without their consent which exposes sensitive data, changing security settings in a way that makes it easier to compromise the user's data or functionality, changing or providing unauthorized access to credentials, etc).
Certain common low-risk vulnerabilities deemed trivially exploitable will not qualify for rewards. A few such issues may be found here __. Most common examples include vulnerabilities that result from an uninformed OAuth grant (by the user) to a 3rd party app, or phishing attacks (solely) based on user deception. Attacks requiring physical access to devices are considered out of scope for this program.
Issues already known to Google (and in the process of being mitigated/fixed) that can be used to uncover similar vulnerabilities across multiple apps in Google Play Store will be published to the Known issues list. Such vulnerabilities are not deemed severe enough to warrant the default reward from Google Play (while still being relevant for the developer to fix - and pay, where applicable), but may qualify for a smaller bounty (listed below).
Issue Category | Reward (Issued by GPSRP)
MITM attacks over insecure connections | $500
Unprotected link handlers | $500
Intent or URL Redirection leading to phishing | $500 (The bounty reduction will go into effect on July 1, 2019. Reports submitted before July 1st will be eligible for the standard bounties as outlined under Vulnerability Criteria & Rewards.)
There is no requirement that OS sandbox needs to be bypassed.
Only Google developed applications and those developed by participating developers (in the list below) are in scope to be considered for a bounty. Only vulnerabilities that work on Android 5.0 devices and higher will qualify.
At this time, only the apps listed below have opted-in to the Play Security Rewards Program and are eligible for rewards. Please do not submit issues for any apps not in the list.
Organization/Developer | Package Name | Submit vulnerabilities to:
8bit Solutions LLC | com.x8bit.bitwarden | email@example.com
Airbnb | com.airbnb.android | https://hackerone.com/airbnb
Alibaba | com.alibaba.aliexpresshd | https://security.alibaba.com/en/ __
Ayopop | com.ayopop | firstname.lastname@example.org
delight.im | im.delight.letters | https://hackerone.com/delight_im
Dropbox | com.dropbox.android, com.dropbox.paper | https://hackerone.com/dropbox
Fitbit | com.fitbit.FitbitMobile | https://www.fitbit.com/bugbounty __
Grab | com.grab.food.dax, com.grabtaxi.passenger, com.grabtaxi.driver2, com.grab.food.pax | https://hackerone.com/grab
IRCCloud | com.irccloud.android | https://hackerone.com/irccloud
Kingsoft Office | cn.wps.moffice_eng | email@example.com
Line | jp.naver.line.android | https://bugbounty.linecorp.com/ __
Mail.Ru | ru.mail.cloud, ru.mail.auth.totp, ru.mail.mailapp, com.my.mail, ru.mail.calendar | https://hackerone.com/mailru
Ok.Ru | ru.ok.android, ru.ok.messages, ru.ok.live | https://hackerone.com/ok
Opera | com.opera.browser, com.opera.mini.native, com.opera.touch | https://security.opera.com/report-security-issue/ __
Pandora | com.pandora.android | firstname.lastname@example.org
PayPal Inc. | com.paypal.android.p2pmobile, com.paypal.here, com.paypal.merchant.client, com.xoom.android.app, com.venmo | https://hackerone.com/paypal
Quvideo Inc | com.quvideo.xiaoying, com.quvideo.slideplus | email@example.com
Shopify | com.shopify.pos, com.shopify.mobile, com.shopify.pos.customerview | https://hackerone.com/shopify
Showmax | com.showmax.app | https://tech.showmax.com/security/ __
Smule | com.smule.singandroid.* | firstname.lastname@example.org
Snapchat | com.snapchat.android | https://hackerone.com/snapchat
Spotify | com.spotify.music, com.spotify.tv.android, com.spotify.s4a | https://hackerone.com/spotify
Sweatcoin | in.sweatco.app | https://hackerone.com/sweatco_ltd
Telegram Messenger LLP | org.telegram.messenger | email@example.com
Tesla | com.teslamotors.tesla | https://bugcrowd.com/tesla __
Tinder | com.tinder | https://www.gotinder.com/security __
VK.com (V Kontakte LLC) | com.vkontakte.android, com.vk.admin, com.vk.quiz | https://hackerone.com/vkcom
VLC | org.videolan.vlc | https://www.videolan.org/security/ __
Yandex LLC | ru.yandex.disk, ru.yandex.taxi, ru.yandex.metro, ru.yandex.music, ru.yandex.mail, ru.yandex.weatherplugin, ru.yandex.searchplugin, ru.yandex.yandexmaps, ru.yandex.market, com.yandex.browser, ru.yandex.yandexnavi | https://yandex.com/bugbounty/report/ __
Zomato | com.application.zomato, com.application.zomato.ordering | https://hackerone.com/zomato
Over time, additional apps may come into scope, so please check back regularly.
For Finders who participate in certain programs of particular customers, to the extent described in the Program Policies, HackerOne may share contact information about those Finders (name, company name (if applicable) and email address) to allow those Customers to contact those Finders to allow them to interact directly.
We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries subject to US sanctions. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own. To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.
Thank you for helping improve the security of the Google Play ecosystem!
Contact us if you want more information.