Mobile Applications

Submissions relating to the following mobile applications are in-scope for the Bug Bounty Program:

Mobile Application NameAndroid PackageiOS Package
PayPal Business: Send Invoicescom.paypal.merchant.clientcom.paypal.merchant
PayPal Here - POS, Credit Card,
Venmo: Send & Receive Moneycom.venmonet.kortina.labs.Venmo
Xoom Money

In-Scope Mobile Application Vulnerabilities

In addition to in-scope applications referenced above, the following vulnerability types will be considered in-scope Submissions for mobile applications. These include:

  • Man-in-the-Middle attacks
  • Attacks requiring physical access to a device

Out-of-Scope Mobile Application Vulnerabilities

The following mobile application vulnerabilities are out-of-scope for the Bug Bounty Program:

  • Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device
  • Vulnerabilities requiring extensive user interaction
  • Exposure of non-sensitive data on the device
  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)

Frequently Asked Questions

We are a participant of the Google Play Security Reward Program. Certain PayPal Android applications may be eligible for the Google Play program. All vulnerabilities must first be directly reported to the PayPal Bug Bounty Program via the HackerOne portal and be resolved prior to submitting a bonus bounty through the Google Play program. PayPal has no control over the Google Play Security Rewards Program and that program may be discontinued at any time. Any determinations regarding awards under the Google Play Security Rewards Program are the sole discretion of Google. For the full terms of the Google Play Security Reward Program and the list of eligible applications, please visit