Duolingo is participating in the Google Play Security Rewards Program. While we do not have a full disclosure program in place at this time, we are willing to accept reports that qualify for the Google Play Security Rewards Program, specifically what’s listed in our scope below. Additionally, we will accept reports for the domains listed as "In Scope" below. We attempt to acknowledge your submission within 30 days - usually in a lot less time - and attempt address findings within 90 days.
For now, only Remote Code Execution vulnerabilities on our Duolingo and TinyCards Android mobile apps are eligible for a reward. The bug must work on Android 4.4 or later.
Any "In Scope" domains listed below are in scope, but they are not eligible for a reward.
Any bug reports outside of this criteria will be closed out as Informative.