According to the Google’s official blog post,
“For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud, and spam systems. Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.”This bug bounty program applies to various Google services, including Google+, Gmail, YouTube, and Blogger. Besides, bugs reported in the Google Cloud Platform, and any other Google web services handling sensitive users’ data are also included in this program.
“In addition, significant abuse-related methodologies are also in scope for this program, if the reported attack scenario displays a design or implementation issue in a Google product that could lead to significant harm.”According to Brown and Henson, these abuse methods include techniques bypassing account recovery, identification of brute force vulnerable services, methods bypassing content use and sharing restrictions, or making unpaid purchases from Google. Regarding the term “valid reports”, they explain,
“Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.”Google’s rewards for reporting security vulnerabilities range between $100 and $31,337. For reporting abuse methods, Google has announced bounties between $100 and $5000. The amount rewarded depends on the “potential probability and impact” of the bug.
Although the new addition in Google VRP may not offer reward as high as Google’s Chrome Rewards or other high paying bug bounty programs. This expansion now formally gives more opportunities to whistleblowers to earn money, besides satiating the obvious intention of security improvements at Google.
