Banner object (1)

Hack and Take the Cash !

833 bounties in database
  Back Link to program      
30/08/2019
Developer Data Protection Reward Program logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Developer Data Protection Reward Program

Google is committed to making the Android, OAuth, and Chrome Extension ecosystem safer for 2+ billion users daily. The Developer Data Protection Reward Program is a bounty program, in collaboration with HackerOne, to identify and mitigate data abuse issues in popular Android applications, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store program policies.

Disclosure Policy

  • Google will work directly with the affected developer to remediate any policy violations - do not contact the developer directly regarding your findings without discussing coordinated disclosure with Google first. If you’ve identified a security vulnerability (not a data abuse issue) in the affected developer’s properties, please report it directly to the app developer.

Program Rules

To be eligible for a reward under this program, the reporter must:

  • Not be directly employed by Alphabet or an immediate family member of a person employed by Alphabet.
  • Not be a resident of, or submit their report from, a country against which the United States has issued sanctions (e.g. Cuba, Iran, North Korea, Sudan and Syria).
  • Not use social engineering (e.g. phishing, vishing, smishing, etc.).
  • Not submit reports indicating they’ve accessed real user data.
  • Only use their own test accounts and data to demonstrate any potential violations related to this program.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of any services belonging to Google or any Google Play applications.
  • When duplicates occur, only the first report that was received is awarded (provided that it can be fully reproduced)
  • Follow the guidelines below; for each type of scope, criteria may vary.

Google Play

Data Abuse Criteria & Examples

A report qualifies under this program if it is able to meet one or more of the following criteria and clearly demonstrates abuse of the data in question. Reward eligibility and amount is ultimately at the discretion of Google, but the following criteria and examples demonstrate the types of issues that may qualify:

  • Play Policies : Report is able to verifiably and unambiguously demonstrate with evidence that the data collected by an Android app was sold, disclosed or shared by the developer in a manner that violates Google’s and/or the developer’s data handling or privacy policies. Specifically, evidence of intentional abuse of data must be provided; demonstration of collection of data, in and of itself, is not sufficient.
  • Examples of violations regarding the User Data __policy include:
    • An app that accesses a user's phone or contact book data and doesn't treat this data as personal or sensitive data subject to the Privacy Policy, Secure Transmission, and Prominent Disclosure requirements. (E.g. metadata around who you’ve called or texted, timestamps of these communications, etc.)
    • An app that accesses a user's inventory of installed apps and doesn't treat this data as personal or sensitive data subject to the Privacy Policy, Secure Transmission, and Prominent Disclosure requirements.
  • Examples of violations regarding the Permissions __policy include:
    • An app that has permissions to the SMS permission group (e.g. ability to read and send text messages), and shares that data with a third party for advertising purposes.
    • Using contact data without user permission for another service unrelated to the original app (e.g. requesting contact information, then reusing it for a separate business or application unrelated to the original app).

Clear evidence of abuse of data must be provided for the report to qualify. An app that has more permissions than may be expected for its functionality, or an app that transfers data to a third party within the scope of the User Data __policy, is by itself not sufficient evidence of abuse. Evidence must be provided that abuse of data has occurred for a report to qualify.

Google API

Data Abuse Criteria & Examples

A report qualifies under this program if it is able to meet one or more of the following criteria. Reward eligibility and amount is ultimately at the discretion of Google, but the following criteria and examples demonstrate the types of issues that may qualify:

  • Google API Policies: Applies only to Restricted Scope APIs. A report qualifies under this program if it is able to verifiably and unambiguously demonstrate with evidence that the application violated the limited use requirements in the API user data policy __. This includes using or transferring data obtained from restricted scopes for purposes other than providing or improving user-facing features, selling that data, or impermissibly allowing humans to read it.
  • Examples of violations include:
    • An app providing travel services, using or transferring user data unrelated to travel.
    • An app transferring user data to affiliates to help develop new products.
    • An app using or sharing user data for the purpose of targeting that user with advertisements.
    • An app developer allowing employees to read user data without the user’s permission .

Chrome Extensions

Data Abuse Criteria & Examples

A report qualifies under this program if it is able to meet one or more of the following criteria. Reward eligibility and amount is ultimately at the discretion of Google, but the following criteria and examples demonstrate the types of issues that may qualify:

  • Google Chrome Web Store Program Policies: A report qualifies under this program if it is able to verifiably and unambiguously demonstrate with evidence that (i) the extension’s developer lacks transparency in its handling of user data, including lack of disclosure behind the collection, use and sharing of the data or (ii) the extension violates the Chrome Web Store’s minimum user data privacy requirements, that is, extensions must require only the narrowest set of permissions necessary to provide their existing services or features User Data FAQ __.

  • Examples of violations include:

    • An extension that has no interactive UI elements exposed to the user, but collects web browsing activity in the background for another purpose, including providing rewards to the user
    • Any extension that publicly discloses authentication, payment, or financial information
    • An extension whose sole marketed purpose is to add themes to popular social media sites, but also anonymously scrapes the number of friends a user has, for sale or research purposes, and does not have a prominent disclosure to its users

Report Requirements

At a minimum, your report must include:

  • The app name, developer name (and contact), and:
    • If Play, also provide package name and SHA256 digest
    • If Google API, also provide app URL for web apps, package name and SHA256 for Android apps, and Apple App Store URL for iOS apps.
    • If Chrome Extension, also provide the extension ID
  • A detailed explanation of which in-scope policy has been violated.
  • An explanation of, and evidence to show, how the data was abused. The evidence must verifiably and unambiguously demonstrate a violation under this program.
  • A list of instances that violated our policies as noted in the above sections.

Scope

To be eligible for a reward, the issue must:

  • Affect the following:
    • For Play, an Android app with over 100 million installs (as indicated by the Google Play Store).
    • For Google API, an app using restricted API scopes __, with more than 50,000 users. To receive a list of in-scope apps, please fill out this form. __
    • For Chrome Extensions, an extension with more than 50,000 users (as indicated by the Chrome Web Store listing).
  • Demonstrate verifiable data abuse by an app, whether intentional or accidental, within the last 24 months.
  • Be a case for which there is no existing active investigation or duplicate issue filed previously.
  • Have been discovered with testing performed in accordance with all rules, laws and regulations as applicable to the app.

Out of Scope

Out of scope issues include, but are not limited to:

  • Reports concerning security vulnerabilities in an Android app, OAuth project, or Chrome extension which could possibly be exploited to get hold of user data.
  • SSL man-in-the-middle attacks.
  • Phishing or social engineering. If an app developer has created an app that does not send user data to a third party, but instead directly attempts to phish the user, this would not qualify under this program, but should instead be sent to security@android.com.
  • Website scraping.
  • Play Developer Program Policy __violations unrelated to user data abuse: e.g. Malicious Behavior __, Deceptive Behavior __, Misrepresentation __or Device and Network Abuse __policy violations. Violations of these policies should be reported __to Google Play.
  • API User Data Policy __violations unrelated to the limited use provision from using restricted scopes. The following examples demonstrate types of scenarios that do not qualify for this program:
    • An app sharing user data with a third party service provider that helps them collect, store and process data for providing or improving the app’s services.
    • Employees of an app developer accessing user data, with users’ consent, in order to help them regain access to their account.
  • Chrome Extension Policy violations unrelated to user data abuse such as impersonation, code readability / obfuscation or other content violations like hate speech or adult content.

Timing Expectations

We will aim to provide a first response within 2 business days. After the report has been validated, Google will work with the affected developer to enforce the applicable data policies. Following these steps, provided your report meets the requirements above, a bounty will be rewarded. We will do our best to keep you informed about our progress throughout this process.

Legal Points

Do not include or attach the affected user data as part of your report unless it is your own, or if you’ve been explicitly authorized to share it.

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

In Scope

Scope Type Scope Name
other

Please select this asset if you are reporting an issue related to the Google API scope.


This program have been found on Hackerone on 2019-08-30.

FireBounty © 2015-2019

Legal notices