Google Launched Google Play Security Reward Program for Android Security

Google has launched Google Play Security Reward Program just a few days back in coordination with bug bounty platform HackerOne. However, Google itself runs its own bug bounties for Android, Chrome, and websites and now expanding this concept to popular Android Apps. For this, researchers will be paid $1,000 reward for qualifying vulnerabilities.

As per HackerOne, hackers will identify the app vulnerabilities and report it to the developers as soon as they find them. After this, the hacker will request for a reward from the program. Once it is evaluated to check whether it meets the Google’s criteria or not, he will be awarded $1000 for this.

Note: Google brings the bug bounty vulnerability research model to Android apps in the Play Store.

Google Play Security Reward Program includes following apps till now:

– Dropbox, Alibaba, Duolingo, Line, Mail.Ru, Headspace, Tinder, Snapchat

How does it work?

To know its working, one should be aware of “qualifying bugs” for which researchers are awarded. These bugs are limited to RCE(remote code execution) flaws that work on Android devices with version 4.4 or above. This includes attacks which allow malicious code to be downloaded and executed, opening a webview in an app for phishing and manipulating the user interface to cause a fraudulent transaction. Here is its working:

– Researchers find bugs and report it directly to the app’s developer via their current vulnerability disclosure process.

– The bounty page consists of links to the page where they report issues to the participating firms.

– App developer fixes the bug while working with them.

– Once the bug gets resolved, the researchers request a reward from the Google Play Security Reward Program.

– Android Security team issues an additional reward to thank them for improving security within the Google Play ecosystem.


Many companies in the bounty program are already offering bug bounties separately via HackerOne or through their own programs. Some of these companies are listed below:

– Tinder has bug bounty which is a private program.

– Dropbox is running its bounty since 2014 and currently offers $15,625 for “trivial” RCE’s affecting its Android app, iOS and higher rewards for attacks on its servers.

– Snapchat has already paid out approx. $140,000 via HackerOne bounty program.

Google Play Security Reward Program “Top Benefits”:

– It aims to incentivize research in a bug bounty model.

– It can improve Android app security which will benefit app developers.

– It will also benefit the entire Google Play ecosystem and Android users.

– It will resolve unknown vulnerabilities and make Android a safe computing platform.


Apart from these, there are plenty of other features. For details, please have a look at this following video.


As far we have seen, Google Play Security Reward Program offers a lot of benefits/rewards to increase android security. You might not be confused now for not opting this program even after watching the above video.

In fact, you can easily install the app from the Google play store. However, if you still have any query regarding this Android security reward program, then you are free to get expert advice from our Android development team at ValueCoders. ValueCoders, an Indian IT outsourcing company, provides expert software development teams for Android application development, for all your android app development needs. Contact Us Today!!

About the Author

Mantra is a Business Consultant & strategic thought leader bridging the divide between technology and client satisfaction. With 12 years of knowledge, innovation and hands-on experience in providing consultations to Startups, ISVs & Agencies who need dedicated development & technology partners. He has also lead to the delivery of countless successful projects.
Blogging is his passion & he shares his expertise here through ValueCoders.. Follow him on Twitter & LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.