I wrote or found a malicious application

We get a variety of reports involving the ability to upload malicious applications to Play. These are generally not eligible for rewards. Malware detection necessarily involves trade-offs between detecting as many malicious apps as possible and not falsely detecting legitimate apps. In addition, our malware detection systems take into account factors other than the contents of an app, so just because you can upload an app doesn't mean a real attacker could. For these reasons, we don't consider failing to detect a proof-of-concept malicious app in Play a vulnerability. 

We get an especially large number of reports of ways to bypass licensing restrictions, in-app billing, or other types of copyright protection in an app. Google uses a variety of methods to enforce licensing restrictions, copyright and payment, therefore proof-of-concept bypasses of the restrictions are not eligible. 

If you spot an application that you believe engages in malicious behavior on behalf of a real attacker, we greatly appreciate if you report it to security@android.com, but note that these reports are outside of the scope of the rewards program. 

Also note that there are no research exceptions to the Play application policy. If you upload a malicious application to Play, you risk your account being suspended, even if it was just to see if you could.