Google Expands Its Vulnerability Reward Program To Include Bug Reports On Methods Hackers Can Use To Bypass Google’s Anti-Fraud And Spam Systems

Two years ago, Google officially expanded the scope of its VRP (Vulnerability Reward Program) to include the identification of product abuse risks. The company has identified over 750 product abuse risks which were previously unknown, preventing abuse in the company’s products and protecting consumers. To take it one step further, the company is now increasing reward amounts for reports focusing on potential hacks in product abuse space.

Today, the company also announced that it is expanding Google’s Vulnerability Reward Program to include bug reports on methods that can be used by hackers to bypass the fraud, abuse, and spam systems of Google. Marc Henson and Eric Brown of Google stated that a few examples of potentially valid bug reports for this program could include bypassing Google’s account recovery systems at scale or buying items from Google without paying.

The Trust and Safety team of Google will review bug reports highlighting such abuse techniques submitted to Google’s VRP (Vulnerability Reward Program). The experts of Google’s Trust and Safety team are specialized in preventing as well as mitigating fraud, spam, and abuse activity across the company’s product platforms.

However, this program doesn’t cover individual instances of abuse like sending spam emails, providing links to malware, or posting of content that violates Google’s policies or guidelines. Valid bug reports that will reach the Trust and Safety team of Google will most likely results in code changes that will be designed to ensure that the method used to bypass Google’s anti-fraud system will not be usable in the future.

The company has paid over $12 million to security researchers via the company’s Vulnerability Reward Program. It is noteworthy that more than 50% of this amount, $6.5 million, was rewarded to security researchers in 2019 alone, while $3.4 million were paid back in the year 2018. Moreover, the reward paid to security researchers for qualifying bug via the company’s Vulnerability Reward Program now ranges between $100 and $31,337, however, it is worth noting that the total reward amount can increase for submitted exploit chains. Guang Gong of Alpha Lab was paid $201,337 for a remote code execution exploit chain targeting Pixel 3 gadgets. In 2019, the company awarded 461 researchers, Guang Gong’s reward being the largest single payout. The new changes take effect starting today, and any reports submitted before September 1 of this year will be rewarded based on the previous rewards table of Google’s VRP.


Photo: AFP via Getty Images

Read next: The Password Manager Of Google Chrome Will Soon Allow You To Quickly Change Leaked Passwords
Previous Post Next Post