Google on Wednesday announced that it is formally expanding its Vulnerability Reward Program to include reports about techniques that allow third parties to bypass Google’s abuse, fraud, and spam systems. Previously, the formal statement limited bug reports to security vulnerabilities, however the move comes after numerous reports were submitted around platform abuse. This programme does not yet cover individual instances of abuse, which are required to be reported through product-specific channels. These product-specific channels include the likes of Google+, YouTube, Gmail, and Blogger.
Since its inception in 2010, Google’s bug bounty programme has given out more than $12 million (roughly Rs. 84.25 crores) to researchers and has helped in creating a thriving community that proactively sends reports to Google. Of this $12 million, nearly $3 million (approximately Rs. 21.1 crores) was given out in 2017 alone, of which Chrome bug reports took the majority of funds.
As examples of potentially valid reports in the revised programme, Google lists instances such as bypassing account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, and purchasing items from Google without paying. “Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content,” said Eric Brown and Marc Henson, Trust and Safety, Google.
These reports, submitted by researchers, are reviewed by the panel on the Trust and Safety team, which is highly skilled in detecting cases of abuse, fraud, and spam activity on Google’s suite of products.
Back in April this year, ride-hailing service Uber had announced a refresh to its bug bounty programme after it mishandled a data breach back in 2016. In a major announcement, Uber also revealed that it updated the policies to specifically state that the company will not pursue any legal action against good-faith hackers who submit flaws through the bug bounty portal.