Google Play Security Reward Program Rules
The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure. All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program. Interested developers who aren’t currently in the program should discuss it with their Google Play partner manager. Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.
Scope of program
For now, the scope is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher. This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:
- UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
- Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.
There is no requirement that OS sandbox needs to be bypassed.
How it works?
Reports follow this process:
- Researcher identifies vulnerability within an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure or bug bounty process. Visit the program page on HackerOne for in-scope apps.
- App developer works with the researcher to resolve the vulnerability.
- Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security Rewards Program hosted on HackerOne
- Android Security team issues a reward to the researcher to thank them for improving the security of the Google Play ecosystem.
Note: all qualifying reports sent to the Google or Chrome Vulnerability Reward Programs will automatically be considered for a reward from the Google Play Security Reward Program. There is no need to submit vulnerabilities submitted to Google again to the Google Play Security Reward Program.
The Play Security Reward Program will evaluate each submission based on the above Vulnerability Criteria and reward accordingly. A reward of $1000 will be rewarded for issues that meet this criteria. Any and all reward decisions are ultimately at the discretion of the Google Play Security Reward Program. In the future, other vulnerabilities may be introduced into scope.
We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries (e.g. Crimea, Cuba, Iran, North Korea, Sudan, and Syria) on US sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.
For more information, visit the Google Play Security Reward Program hosted on the HackerOne Interested developers can also contact their Google Play partner manager.