Vulnerability Reward Program

Program Rules

On November 2010, our security team launched a Vulnerability Reward Program for Google web properties. We have long enjoyed close cooperation with the security research community - and encouraged by the success of our Chrome Vulnerability Reward Program, we decided to take this step to invite cutting-edge external research that would help us keep our users safe.

Services in scope

Any Google-operated web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains:

We make an important exception for acquired companies: for the first 6 months after the acquisition, the vulnerabilities in acquired platforms will usually not qualify for a reward.

Please note that Google client applications (Android, Picasa, Google Desktop, etc) are currently not in scope. We may expand the program in the future.

Qualifying vulnerabilities

It is difficult to provide a definitive list of bugs that will qualify for a reward: any bug that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

The following reports will be definitely excluded:

Out of concern for the availability of our services to all users, we ask you to refrain from using any tools that are likely to automatically generate significant volumes of traffic.

Reward amounts

Rewards for qualifying bugs range from $100 to $20,000. The following table outlines the usual rewards for the anticipated classes of bugs:

accounts.google.com Other highly sensitive services [1] Normal Google applications Non-integrated acquisitions and other lower priority sites [2]
Remote code execution $20,000 $20,000 $20,000 $5,000
SQL injection or equivalent $10,000 $10,000 $10,000 $5,000
Significant authentication bypass or information leak $10,000 $5,000 $1,337 $500
Typical XSS $3,133.7 $1,337 $500 $100
XSRF, XSSI, and other common web flaws

$500 - $3,133.7

(depending on impact)

$500 - $1,337

(depending on impact)
$500 $100

[1] This category includes products such as Google Search (https://www.google.com) Google Wallet (https://wallet.google.com), Google Mail (https://mail.google.com), Google Code Hosting (code.google.com), and Google Play (https://play.google.com).

[2] Note that acquisitions qualify for a reward only after the initial 6 month blackout period has elapsed.

In each case, the ultimate decision is made by the reward panel and is at our discretion. In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.

We understand that some of you are not interested in money. We also offer the option to donate your reward to charity. If you do, we will match it - subject to our discretion.

Regardless of whether you're rewarded monetarily or not, all vulnerability reporters who interact with us in a productive manner will be credited on the Hall of Fame. If we file a security bug internally, we will acknowledge your contribution on that page.

Investigating and reporting bugs

When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data, and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google.

If you have found a vulnerability, please contact us at security@google.com. Feel free to be succinct: the mailbox is attended by security engineers, and a short proof-of-concept link is more valuable than a video explaining the consequences of an XSS bug. Oh: if necessary, you can use this PGP key.

Note that we are only able to answer to technical vulnerability reports. Non-security bugs and queries about problems with your account should be instead directed to Google Help Centers.

Frequently asked questions

Q: Who determines whether my report is eligible for a reward?

A: The reward panel consists of members of the Google Security Team. The current permanent members are Adam Mein, Kevin Stadmeyer, Martin Straka, Eduardo Vela Nava, and Michal Zalewski with rotating membership from Matthew Dempsky, Thai Duong, Artur Janc, Mateusz Jurczyk, Billy Rios, Fermin Serna and Michal Skladnikiewicz

Q: What happens if I disclose the bug publicly before you had a chance to fix it?

A: Please read our stance on coordinated disclosure. In essence, our pledge to you is to respond promptly and fix bugs in a sensible timeframe - and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, but we will evaluate them on a case-by-case basis.

Q: I wish to report an issue through a vulnerability broker. Will my report still qualify for a reward?

A: We believe that it is against the spirit of the program to privately disclose the flaw to third parties for purposes other than actually fixing the bug. Consequently, such reports will typically not qualify.

Q: What if somebody else also found the same bug?

A: First in, best dressed. You will qualify for a reward only if you were the first person to alert us to a previously unknown flaw.

Q: My employer / boyfriend / dog frowns upon my security research. Can I report a problem privately?

A: Sure. If you are selected as a recipient of a reward, and if you accept, we will need your contact details to process the payment. You can still request not to be listed on our public credits page, however.

Q: Are there any commonly reported vulnerabilities that are not clear-cut, and for which the panel historically erred on the side of not issuing rewards?

A: Yes. In the spirit of transparency, and to help focus external efforts, here is an overview of reports we most commonly reject:

Legal points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.