Google Play Security Reward Program

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
cn.wps.moffice_eng GOOGLE_PLAY_APP_ID critical
Kingsoft Office - wps_security@kingsoft.com
com.airbnb.android GOOGLE_PLAY_APP_ID high high high critical
com.alibaba.aliexpresshd OTHER_APK critical
Alibaba - https://security.alibaba.com/en/
com.application.zomato GOOGLE_PLAY_APP_ID critical
Zomato - https://hackerone.com/zomato
com.dropbox.android GOOGLE_PLAY_APP_ID critical
Dropbox - https://hackerone.com/dropbox
com.dropbox.paper GOOGLE_PLAY_APP_ID critical
Dropbox - https://hackerone.com/dropbox
com.duolingo GOOGLE_PLAY_APP_ID critical
Duolingo - https://hackerone.com/duolingo
com.duolingo.tinycards GOOGLE_PLAY_APP_ID critical
Duolingo - https://hackerone.com/duolingo
com.fitbit.FitbitMobile GOOGLE_PLAY_APP_ID critical
Fitbit - https://www.fitbit.com/bugbounty
com.getsomeheadspace.android GOOGLE_PLAY_APP_ID critical
Headspace - https://hackerone.com/headspace
com.irccloud.android GOOGLE_PLAY_APP_ID critical
IRCCloud - https://hackerone.com/irccloud
com.my.mail GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru - https://hackerone.com/mailru
com.opera.browser GOOGLE_PLAY_APP_ID critical
Opera: https://security.opera.com/report-security-issue/
com.opera.mini.native GOOGLE_PLAY_APP_ID critical
Opera: https://security.opera.com/report-security-issue/
com.opera.touch GOOGLE_PLAY_APP_ID critical
Opera: https://security.opera.com/report-security-issue/
com.pandora.android GOOGLE_PLAY_APP_ID critical
Pandora - security@pandora.com
com.paypal.android.p2pmobile GOOGLE_PLAY_APP_ID critical
Paypal - https://www.paypal.com/bugbounty/
com.paypal.here GOOGLE_PLAY_APP_ID critical
Paypal - https://www.paypal.com/bugbounty/
com.paypal.merchant.client GOOGLE_PLAY_APP_ID critical
Paypal - https://www.paypal.com/bugbounty/
com.quvideo.slideplus GOOGLE_PLAY_APP_ID critical
Quvideo Inc - googlesecurity@quvideo.com
com.quvideo.xiaoying GOOGLE_PLAY_APP_ID critical
Quvideo Inc - googlesecurity@quvideo.com
com.shazam.android GOOGLE_PLAY_APP_ID critical
Shazam - security-hackerone@shazam.com
com.shopee.id GOOGLE_PLAY_APP_ID critical
Sea - https://hackerone.com/shopee
com.shopee.my GOOGLE_PLAY_APP_ID critical
Sea - https://hackerone.com/shopee
com.shopee.ph GOOGLE_PLAY_APP_ID critical
Sea - https://hackerone.com/shopee
com.shopee.sg GOOGLE_PLAY_APP_ID critical
Sea - https://hackerone.com/shopee
com.shopee.tw GOOGLE_PLAY_APP_ID critical
Sea - https://hackerone.com/shopee
com.shopee.vn GOOGLE_PLAY_APP_ID critical
Sea - https://hackerone.com/shopee
com.shopify.mobile GOOGLE_PLAY_APP_ID critical
Shopify - https://hackerone.com/shopify
com.shopify.pos GOOGLE_PLAY_APP_ID critical
Shopify - https://hackerone.com/shopify
com.showmax.app GOOGLE_PLAY_APP_ID critical
Showmax - security+android@showmax.com
com.smule.singandroid.* GOOGLE_PLAY_APP_ID critical
Smule - android-security@smule.com
com.snapchat.android GOOGLE_PLAY_APP_ID critical
Snapchat - https://hackerone.com/snapchat
com.spotify.music GOOGLE_PLAY_APP_ID critical
com.spotify.s4a GOOGLE_PLAY_APP_ID critical
com.spotify.tv.android GOOGLE_PLAY_APP_ID critical
com.teslamotors.tesla GOOGLE_PLAY_APP_ID critical
Tesla - https://bugcrowd.com/tesla
com.tinder OTHER_APK critical
Tinder - https://www.gotinder.com/security
com.venmo GOOGLE_PLAY_APP_ID critical
Paypal - https://www.paypal.com/bugbounty/
com.vkontakte.android GOOGLE_PLAY_APP_ID critical
VK.com (VKontakte) - https://hackerone.com/vkcom
com.x8bit.bitwarden GOOGLE_PLAY_APP_ID critical
8bit Solutions LLC - security@bitwarden.com
com.xoom.android.app GOOGLE_PLAY_APP_ID critical
Paypal - https://www.paypal.com/bugbounty/
com.yandex.browser GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
im.delight.letters GOOGLE_PLAY_APP_ID critical
delight.im - https://hackerone.com/delight_im
jp.naver.line.android GOOGLE_PLAY_APP_ID critical
Line - https://bugbounty.linecorp.com/
org.telegram.messenger GOOGLE_PLAY_APP_ID critical
Telegram Messenger LLP - security@telegram.org
org.videolan.vlc GOOGLE_PLAY_APP_ID critical
VLC - https://www.videolan.org/security/
ru.mail.auth.totp GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru - https://hackerone.com/mailru
ru.mail.calendar GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru - https://hackerone.com/mailru
ru.mail.cloud GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru - https://hackerone.com/mailru
ru.mail.mailapp GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru - https://hackerone.com/mailru
ru.yandex.disk GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.mail GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.market GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.metro GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.music GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.searchplugin GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.taxi GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.weatherplugin GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.yandexmaps GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
ru.yandex.yandexnavi GOOGLE_PLAY_APP_ID critical
Yandex LLC - https://yandex.com/bugbounty/report/
com.ayopop GOOGLE_PLAY_APP_ID critical
Ayopop - devops@ayopop.com
com.vk.admin GOOGLE_PLAY_APP_ID critical
VK.com (V Kontakte LLC) - https://hackerone.com/vkcom
com.vk.quiz GOOGLE_PLAY_APP_ID critical
VK.com (V Kontakte LLC) - https://hackerone.com/vkcom
ru.ok.android GOOGLE_PLAY_APP_ID critical
Ok.Ru - https://hackerone.com/ok
ru.ok.live GOOGLE_PLAY_APP_ID critical
Ok.Ru - https://hackerone.com/ok
ru.ok.messages GOOGLE_PLAY_APP_ID critical
Ok.Ru - https://hackerone.com/ok
com.grab.food.dax GOOGLE_PLAY_APP_ID critical
https://hackerone.com/grab
com.grab.food.pax GOOGLE_PLAY_APP_ID critical
https://hackerone.com/grab
com.grabtaxi.driver2 GOOGLE_PLAY_APP_ID critical
https://hackerone.com/grab
com.grabtaxi.passenger GOOGLE_PLAY_APP_ID critical
https://hackerone.com/grab
com.shopify.pos.customerview GOOGLE_PLAY_APP_ID critical
Shopify - https://hackerone.com/shopify
com.application.zomato.ordering GOOGLE_PLAY_APP_ID critical
Zomato - https://hackerone.com/zomato
in.sweatco.app GOOGLE_PLAY_APP_ID critical
Sweatcoin - https://hackerone.com/sweatco_ltd
com.languagedrops.drops.international GOOGLE_PLAY_APP_ID critical
Language Drops - security@languagedrops.com
com.languagedrops.drops.scrips.learn.write.alphabet.letters.characters.language.japanese.korean.chinese GOOGLE_PLAY_APP_ID critical
Language Drops - security@languagedrops.com
com.livestream.livestream GOOGLE_PLAY_APP_ID critical
Livestream - hackerone.com/livestream
com.vimeo.android.videoapp GOOGLE_PLAY_APP_ID critical
Vimeo - hackerone.com/vimeo
tv.vhx.* GOOGLE_PLAY_APP_ID critical
Excludes tv.vhx (test on branded apps) VHX - hackerone.com/vhx
com.opera.app.news GOOGLE_PLAY_APP_ID critical
Opera - https://security.opera.com/report-security-issue/
com.grammarly.android.keyboard GOOGLE_PLAY_APP_ID critical
Grammarly - https://hackerone.com/grammarly
com.picsart.studio GOOGLE_PLAY_APP_ID critical
PicsArt - security@picsart.com
com.facebook.katana GOOGLE_PLAY_APP_ID critical
Facebook - https://www.facebook.com/whitehat/report/
com.facebook.orca GOOGLE_PLAY_APP_ID critical
Facebook Messenger - https://www.facebook.com/whitehat/report/
com.instagram.android GOOGLE_PLAY_APP_ID critical
Instagram - https://www.facebook.com/whitehat/report/
com.lyft.android.driver GOOGLE_PLAY_APP_ID critical
Lyft - https://www.lyft.com/security
me.lyft.android GOOGLE_PLAY_APP_ID critical
Lyft - https://www.lyft.com/security
com.priceline.android.negotiator GOOGLE_PLAY_APP_ID critical
Priceline - https://hackerone.com/priceline
com.pinterest GOOGLE_PLAY_APP_ID critical
Pinterest - https://bugcrowd.com/pinterest
com.jnj.mocospace.android GOOGLE_PLAY_APP_ID critical
JNJ Mobile - https://hackerone.com/jnj_mobile
com.mobisystems.fileman GOOGLE_PLAY_APP_ID critical
MobiSystems - https://hackerone.com/mobisystems_ltd
com.mobisystems.msdict.embedded.wireless.oxford.dictionaryofenglish GOOGLE_PLAY_APP_ID critical
MobiSystems - https://hackerone.com/mobisystems_ltd
com.mobisystems.office GOOGLE_PLAY_APP_ID critical
MobiSystems - https://hackerone.com/mobisystems_ltd
App on Play with >= 100 million installs, not listed in scope OTHER critical
Organizations typically publish a vulnerability disclosure policy with guidance on how they receive information related to potential vulnerabilities in their products or online services (see [ISO 29147](https://www.iso.org/standard/45170.html)). If you have been unsuccessful in contacting an organization regarding the responsible disclosure of a potential security vulnerability in an app on Play with >= 100 million installs, HackerOne and Google can offer disclosure assistance. If this issue is within scope for this program, HackerOne and Google will attempt to contact this organization and deliver this vulnerability information to them. By submitting a report to this scope, you agree to the following terms: I understand that my usage of this disclosure assistance service is strictly voluntary. HackerOne and Google did not ask me to use the service or identify the organization in which I found a vulnerability. HackerOne and Google have not made any guarantees or promises to me with respect to the service. If I choose to submit vulnerability information, I will not disclose the vulnerability information to any other party until I have come to a separate agreement with the organization to which the vulnerability information relates, or until HackerOne or Google informs me that it is unable or unwilling to continue assisting with the disclosure, whichever comes first. I assume all liability for usage of the service, and I have been advised to follow the [EFF Vulnerability Reporting FAQ](https://www.eff.org/issues/coders/vulnerability-reporting-faq). I agree that HackerOne and Google may use any information I submit through this service and may share that information with third parties.
com.coinbase.android GOOGLE_PLAY_APP_ID critical
Coinbase - https://hackerone.com/coinbase
com.coinbase.pro GOOGLE_PLAY_APP_ID critical
Coinbase - https://hackerone.com/coinbase
org.toshi GOOGLE_PLAY_APP_ID critical
Coinbase - https://hackerone.com/coinbase

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
com.facebook.mlite GOOGLE_PLAY_APP_ID none
com.instagram.boomerang GOOGLE_PLAY_APP_ID none
com.instagram.layout GOOGLE_PLAY_APP_ID none
com.whatsapp GOOGLE_PLAY_APP_ID none
com.whatsapp.w4b GOOGLE_PLAY_APP_ID none
com.whatsapp.wallpaper GOOGLE_PLAY_APP_ID none
com.duolingo GOOGLE_PLAY_APP_ID none
(Temporarily out of scope) Duolingo - https://hackerone.com/duolingo