Google Play Security Reward Program Rules
The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure. All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program. Interested developers who aren’t currently in the program should discuss it with their Google Play partner manager. Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.
How it works?
Reports follow this process:
- Researcher identifies vulnerability within an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure or bug bounty process. Visit the program page on HackerOne for in-scope apps.
- App developer works with the researcher to resolve the vulnerability.
- Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security Rewards Program hosted on HackerOne
- Android Security team issues a reward to the researcher to thank them for improving the security of the Google Play ecosystem.
- For details on Scope and Rewards, visit Google Play Security Rewards Program hosted on HackerOne
Note: all qualifying reports sent to the Google or Chrome Vulnerability Reward Programs will automatically be considered for a reward from the Google Play Security Reward Program. There is no need to submit vulnerabilities submitted to Google again to the Google Play Security Reward Program.
We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries (e.g. Crimea, Cuba, Iran, North Korea, Sudan, and Syria) on US sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.
For more information, visit the Google Play Security Reward Program hosted on the HackerOne Interested developers can also contact their Google Play partner manager.