Google is expanding its vulnerability reward program again: the company wants to be notified about techniques that allow third parties to successfully bypass their abuse, fraud, and spam systems.
About the program expansion
“This expansion is intended to reward research that helps us mitigate potential abuse methods,” Eric Brown and Marc Henson of Google’s Trust and Safety team explained.
“A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.”
Another example they offered in the revised program rules is a technique by which an attacker can manipulate the rating score of a Google Maps listing by submitting a large volume of fake reviews that go undetected by their abuse systems.
While the members of the Google Security Team decide which bug reports are eligible for rewards, the reports of these abuse, fraud and spam techniques will be reviewed by experts on the company’s Trust and Safety team.
Depending on the impact of the submitted technique (its potential for causing privacy violations, financial loss, and other user harm) and the probability of it being implemented (technical skill set required, motivators, likelihood of the vulnerability being discovered), the rewards will range from $100 to $5,000:
“This program does not cover individual instances of abuse, such as the posting of content that violates our guidelines or policies, sending spam emails, or providing links to malware. These should continue to be reported through existing product-specific channels, such as for Google+, YouTube, Gmail, and Blogger,” Brown and Henson added.
As per usual, reporters will have the option to donate their reward to an established charity.