Mobile Applications

Submissions relating to the following mobile applications are in-scope for the Bug Bounty Program:

Mobile Application Name Android Package iOS Package
Claro Pay com.paypal.claro
PayPal com.yourcompany.PPClient
PayPal Business: Send Invoices com.paypal.merchant.client com.paypal.merchant
PayPal Carica com.paypal.carica
PayPal Here - POS, Credit Card Reader,
Telcel Pay com.paypal.telcel
Venmo: Send & Receive Money com.venmo net.kortina.labs.Venmo
Xoom Money Transfer

**In-Scope Mobile Application Vulnerabilities**

In addition to in-scope applications referenced above, the following vulnerability types will be considered in-scope Submissions for mobile applications. These include:

  • Man-in-the-Middle attacks
  • Attacks requiring physical access to a device

Out-of-Scope Mobile Application Vulnerabilities

The following mobile application vulnerabilities are out-of-scope for the Bug Bounty Program:

  • Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device
  • Vulnerabilities requiring extensive user interaction
  • Exposure of non-sensitive data on the device
  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)

Frequently Asked Questions

We are a participant of the Google Play Security Reward Program. Certain PayPal Android applications may be eligible for the Google Play program. All vulnerabilities must first be directly reported to the PayPal Bug Bounty Program via the HackerOne portal and be resolved prior to submitting a bonus bounty through the Google Play program. PayPal has no control over the Google Play Security Rewards Program and that program may be discontinued at any time. Any determinations regarding awards under the Google Play Security Rewards Program are the sole discretion of Google. For the full terms of the Google Play Security Reward Program and the list of eligible applications, please visit