Announcing new reward amounts for abuse risk researchers
Posted by Marc Henson, Lead and Program Manager, Trust & Safety; Anna Hupa, Senior Strategist, at Google
It has been two years since we officially expanded the scope of Google’s Vulnerability Reward Program (VRP) to include the identification of product abuse risks.
Thanks to your work, we have identified more than 750 previously unknown product abuse risks, preventing abuse in Google products and protecting our users. Collaboration to address abuse is important, and we are committed to supporting research on this growing challenge. To take it one step further, and as of today, we are announcing increased reward amounts for reports focusing on potential attacks in the product abuse space.
The nature of product abuse is constantly changing. Why? The technology (product and protection) is changing, the actors are changing, and the field is growing. Within this dynamic environment, we are particularly interested in research that protects users’ privacy, ensures the integrity of our technologies, as well as prevents financial fraud or other harms at scale.
Research in the product abuse space helps us deliver trusted and safe experiences to our users. Martin Vigo’s research on Google Meet’s dial-in feature is one great example of an 31337 report that allowed us to better protect users against bad actors. His research provided insight on how an attacker could attempt to find Meet Phone Numbers/Pin, which enabled us to launch further protections to ensure that Meet would provide a secure technology connecting us while we’re apart.
New Reward Amounts for Abuse Risks
What’s new? Based on the great submissions that we received in the past as well as feedback from our Bug Hunters, we increased the highest reward by 166% from $5,000 to $13,337. Research with medium to high impact and probability will now be eligible for payment up to $5,000.
What did not change? Identification of new product abuse risks remains the primary goal of the program. Reports that qualify for a reward are those that will result in changes to the product code, as opposed to removal of individual pieces of abusive content. The final reward amount for a given abuse risk report also remains at the discretion of the reward panel. When evaluating the impact of an abuse risk, the panels look at both the severity of the issue as well as the number of impacted users.
What’s next? We plan to expand the scope of Vulnerability Research Grants to support research preventing abuse risks. Stay tuned for more information!
Starting today the new rewards take effect. Any reports that were submitted before September 1, 2020 will be rewarded based on the previous rewards table.
We look forward to working closely together with the researcher community to prevent abuse of Google products and ensure user safety.
Happy bug hunting!
Related Google News:
- Scaling deep retrieval with TensorFlow Recommenders and Vertex AI Matching Engine May 1, 2023
- Unleash your Google Cloud data with ThoughtSpot, Looker, and BigQuery May 1, 2023
- Track, Trace and Triumph: How Utah Division of Wildlife Resources is harnessing Google Cloud to… May 1, 2023
- Seeing the World: Vertex AI Vision Developer Toolkit May 1, 2023
- BBC: Keeping up with a busy news day with an end-to-end serverless architecture May 1, 2023
- Scalable electronic trading on Google Cloud: A business case with BidFX May 1, 2023
- Google Cloud and Equinix: Building Excellence in ML Operations (MLOps) May 1, 2023
- 20 new Chrome themes from Asian American and Pacific Islander artists May 1, 2023
September 1, 2020
Google / Security
This website is not part of the Google website or Google LLC. Additionally, this site is not endorsed by Google in any way. Google is a trademark of Google LLC.