Developer Data Protection Reward Program Rules

Google is committed to making the Android, Google API, and Chrome Extension ecosystem safer for 2+ billion users daily. The Developer Data Protection Reward Program is a bounty program to identify and mitigate data abuse issues in popular Android applications, Chrome extensions, and applications leveraging the Google API. It recognizes the contributions of individuals who help report apps that are violating applicable program policies and are potentially putting user data at risk.

Disclosure Policy

Google will work directly with the affected developer to remediate any user data policy violations - do not contact the developer directly regarding your findings without discussing coordinated disclosure with Google first. If you’ve identified a security vulnerability (not a data abuse issue) in the affected developer’s properties, please report it directly to the developer.

Program Rules

To be eligible for a reward under this program, the reporter must:

Scope

To be eligible for a reward, the issue must:

Google Play

Data Abuse Criteria & Examples

A report qualifies under this program if it is able to meet one or more of the following criteria and clearly demonstrates abuse of the data in question. Reward eligibility and amount is ultimately at the discretion of Google, but the following criteria and examples demonstrate the types of issues that may qualify:

Clear evidence of abuse of data must be provided for the report to qualify. An app that has more permissions than may be expected for its functionality, or an app that transfers data to a third party within the scope of the User Data policy, is by itself not sufficient evidence of abuse. Evidence must be provided that abuse of data has occurred for a report to qualify.

Out of scope

Google API

Data Abuse Criteria & Examples

A report qualifies under this program if it is able to meet one or more of the following criteria. Reward eligibility and amount is ultimately at the discretion of Google, but the following criteria and examples demonstrate the types of issues that may qualify:

Out of Scope

Chrome Extensions

Data Abuse Criteria & Examples

A report qualifies under this program if it is able to meet one or more of the following criteria. Reward eligibility and amount is ultimately at the discretion of Google, but the following criteria and examples demonstrate the types of issues that may qualify:

Out of Scope

Report Requirements

At a minimum, your report must include:

Timing Expectations

We will aim to provide a first response within 3 business days. After the report has been validated, Google will work with the affected developer to enforce the applicable data policies. Following these steps, provided your report meets the requirements above, a bounty will be rewarded. We will do our best to keep you informed about our progress throughout this process.

Do not include or attach the affected user data as part of your report unless it is your own, or if you’ve been explicitly authorized to share it.

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.