Google Play is working with the independent bug bounty platform, HackerOne, and the developers of popular Android apps to implement the Google Play Security Reward Program. Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model. The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem. To find out about other Android security initiatives, visit the Android Security Center (https://www.android.com/security-center/).
How does it work?
At a high level, the process will look like this:
* Hacker identifies vulnerability in an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure process.
* App developer works with the hacker to resolve the vulnerability.
* Once the vulnerability has been resolved, the hacker requests a reward from the Google Play Security Reward Program.
* Android Security team issues an additional reward to the hacker to thank them for improving security within the Google Play ecosystem.
* All vulnerabilities must always be reported directly to the app developer first. This program is only for requesting bonus bounties after the original vulnerability was resolved with the app developer.
* Only developers who have expressed a commitment to fixing bugs which are disclosed to them have been invited to the program. It is the responsibility of each developer to respond and fix bugs in a timely manner.
* Follow HackerOne's disclosure guidelines.
* Please provide detailed reports with the requested information in the submit report form. Reports not containing the required information and that do not meet the criteria for this program will not be eligible for a reward.
* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
* Multiple vulnerabilities caused by one underlying issue reported to same developer will be awarded one reward
* We aim to be fair; all reward amounts are at our discretion.
For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.
This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:
* UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
* Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.
There is no requirement that OS sandbox needs to be bypassed.
Any vulnerability that requires collusion between apps, or where there is a dependency for another app to be installed is considered to be out of scope, and thus will not qualify for a reward.
All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer.
Additionally, only issues that have been patched within the last 90 days will qualify. If you wait longer than 90 days from a fix being made publicly available, your report will not qualify!
All Google-developed Android apps available on Google Play are in scope. Please report vulnerabilities in Google apps to the Google Vulnerability Reward Program (https://www.google.com/about/appsecurity/reward-program/index.html) or, for Chrome specifically, to the Chrome Reward Program (https://www.google.com/about/appsecurity/chrome-rewards/). There is no need to submit vulnerabilities again to the Google Play Security Reward Program for the additional reward.
issues identified in the following apps also qualify for the program. After the developer has resolved the vulnerability, submit it to the Play Security Reward Program to be considered for the bug bounty:
| Organization/Developer | Package Name | Submit vulnerabilities to: |
| ------------- |-------------| -----|
| Alibaba | com.alibaba.aliexpresshd | https://security.alibaba.com/en/ |
| Dropbox | com.dropbox.android, com.dropbox.paper| https://hackerone.com/dropbox |
| Duolingo | com.duolingo | https://hackerone.com/duolingo |
| Headspace | com.getsomeheadspace.android | https://hackerone.com/headspace |
| Line | jp.naver.line.android | https://bugbounty.linecorp.com/ |
| Mail.Ru| ru.mail.cloud, ru.mail.auth.totp, ru.mail.mailapp, com.my.mail, ru.mail.calendar | https://hackerone.com/mailru |
| Pandora | com.pandora.android | firstname.lastname@example.org |
| Snapchat | com.snapchat.android | https://hackerone.com/snapchat |
| Tinder | com.tinder | https://www.gotinder.com/security |
Over time, additional apps may come into scope, so please check back regularly. Only the apps listed above have opted-in to the Play Security Rewards Program and are eligible for rewards. Please do not submit issues for any apps not listed above.
For Finders who participate in certain Programs of particular Customers, to the extent described in the Program Policies, HackerOne may share contact information about those Finders (name, company name (if applicable) and email address) to allow those Customers to contact those Finders to allow them to interact directly.
The Play Security Rewards Program will evaluate each submission based on the above Vulnerability Criteria and reward accordingly. A reward of $1000 will be rewarded for issues that meet this criteria. Any and all reward decisions are ultimately at the discretion of the Google Play Security Rewards Program.
In the future, other vulnerabilities may be introduced into scope.
We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries (e.g. Crimea, Cuba, Iran, North Korea, Sudan, and Syria) on US sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own. To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.
Thank you for helping improve the security of the Google Play ecosystem!
Hall of Fame