Google Play Security Reward Program Rules

The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure. All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program. Interested developers who aren’t currently in the program should discuss it with their Google Play partner manager. Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.

Scope of program

For now, the scope is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher. This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:

There is no requirement that OS sandbox needs to be bypassed.

How it works?

Reports follow this process:

Note: all qualifying reports sent to the Google or Chrome Vulnerability Reward Programs will automatically be considered for a reward from the Google Play Security Reward Program. There is no need to submit vulnerabilities submitted to Google again to the Google Play Security Reward Program.

Reward amounts

The Play Security Reward Program will evaluate each submission based on the above Vulnerability Criteria and reward accordingly. A reward of $1000 will be rewarded for issues that meet this criteria. Any and all reward decisions are ultimately at the discretion of the Google Play Security Reward Program. In the future, other vulnerabilities may be introduced into scope.

We are unable to issue rewards to individuals who are on US sanctions lists, or who are in countries (e.g. Crimea, Cuba, Iran, North Korea, Sudan, and Syria) on US sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary reward program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop code for devices covered by this program.

More information

For more information, visit the Google Play Security Reward Program hosted on the HackerOne Interested developers can also contact their Google Play partner manager.