Google Play Security Reward Program Rules

The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure. All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program. Interested developers who aren’t currently in the program should discuss it with their Google Play partner manager. Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.

How it works?

Reports follow this process:

Note: all qualifying reports sent to the Google or Chrome Vulnerability Reward Programs will automatically be considered for a reward from the Google Play Security Reward Program. There is no need to submit vulnerabilities submitted to Google again to the Google Play Security Reward Program.

We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries (e.g. Crimea, Cuba, Iran, North Korea, Sudan, and Syria) on US sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.

More information

For more information, visit the Google Play Security Reward Program hosted on the HackerOne Interested developers can also contact their Google Play partner manager.