Google has published the Google Play Security Reward Program to urge security researchers to come forward about security issues in popular applications on the Google Play Store.
The company has used the HackerOne platform, security researchers will be able to report issues directly to the developers and once it has been addressed, the researchers will receive a reward from Google Play.
According to Google will reward critical, high, and moderate severity vulnerabilities. Patches that don’t necessarily fix a vulnerability but provide additional hardening may qualify for Google Patch Rewards.
Rules that rewarding a vulnerability report:
- Only the first report of a specific vulnerability will be rewarded.
- A bug report must include as much detail as possible, a buildable proof of concept, crash dump if available, and any additional repro steps. For tips on how to submit complete reports, refer to Bug Hunter University.
- Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward. Google encourages responsible disclosure, and we believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
There are also a few classes of vulnerabilities that will generally not qualify for a reward:
- Issues that require complex user interaction. For example, if the vulnerability requires installing an app and then waiting for a user to make an unlikely configuration change.
- Phishing attacks that involve tricking the user into entering credentials.
- Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
- Issues that only affect userdebug builds or require debugging access (ADB) to the device.
- Bugs that simply cause an app to crash.
- Low severity issues typically do not qualify for rewards, as described in Bug Hunter University, with some exceptions.
They will give the reward amount depends on the severity of the vulnerability and the quality of the report. A valid bug report may receive low $200-$303, Moderate $20,000 – $35,000, High $75,000-$100,00 and Critical $150,000-200,000 will be rewarded to according to Google, the company said that more criteria may be appended in the future and more scope for rewards.
Until now, there are a limited number of apps have been joined to Google Play Security Reward Program, including Alibaba, Dropbox, Duolingo, Line, SnapChat, Headspace, Mail.ru and Tinder.
Google wish that this program will assist app developers to keep security issues out of their apps, which has been a problem on Android for a while now.
Investigating and reporting bugs
When investigating a vulnerability, please, only ever target your own devices. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google.
All bugs should be reported using the Android Security Issue template. If you are submitting a patch or CTS test, please attach the files to the bug report. Again, if your patch or test doesn’t conform to Android’s Coding Style Guidelines, we may reduce the reward amount.
I’m an Entrepreneur, Freelance Security Consultant, Bug Hunter having years of experience with a deep interest in InfoSec Industry. I love to speak and write about web and mobile application pen-testing, bug bounty. You can reach me at