Eight years back, the Google bug bounty program began with the intention of improving Google’s security. Through this program, numerous cybersecurity whistleblowers earned tempting amounts as rewards. Now, Google has decided to formally expand the scope of its Vulnerability Reward Program (VRP). Besides security flaws, Google VRP will also cover abuse methods.
Google Bug Bounty Program Undergoes Scope Expansion
On Wednesday, Eric Brown and Marc Henson from Google disclosed an official decision by the firm regarding the Google Bug Bounty Program. As stated in their blog post, Google is expanding the scope of its Vulnerability Reward Program. Earlier, Google VRP typically covered security vulnerabilities. However, considering the nature of previous rewards, Google has decided to formally mention these bugs in the VRP’s scope.
According to the Google’s official blog post,
“For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems. Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.”
This bug bounty program applies to various Google services, including Google+, Gmail, YouTube, and Blogger. Besides, bugs reported in the Google Cloud Platform, and any other Google web services handling sensitive users’ data are also included in this program.
What Qualifies For The Bounty?
As explained by Google, anything affecting the “confidentiality and integrity” of Google’s user data comes under this bug bounty. Notably, the following security vulnerabilities qualify for this VRP:
- Cross-site request forgery
- Cross-site scripting
- Authentication or authorization flaws
- Mixed-content scripts
- Server-side code execution bugs
Now, after the expansion in the scope of VRP, Google adds the following statement mentioning the abuse methods,
“In addition, significant abuse-related methodologies are also in scope for this program, if the reported attack scenario displays a design or implementation issue in a Google product that could lead to significant harm.”
According to Brown and Henson, these abuse methods include techniques bypassing account recovery, identification of brute force vulnerable services, methods bypassing content use and sharing restrictions, or making unpaid purchases from Google. Regarding the term “valid reports”, they explain,
“Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.”
Google’s rewards for reporting security vulnerabilities range between $100 and $31,337. For reporting abuse methods, Google has announced bounties between $100 and $5000. The amount rewarded depends on the “potential probability and impact” of the bug.
Although the new addition in Google VRP may not offer reward as high as Google’s Chrome Rewards or other high paying bug bounty programs. This expansion now formally gives more opportunities to whistleblowers to earn money, besides satiating the obvious intention of security improvements at Google.