Google and Alphabet Vulnerability Reward Program (VRP) Rules

Program Overview

The Google and Alphabet Vulnerability Reward Program (VRP) is designed to recognize and reward security researchers who discover and responsibly disclose vulnerabilities in Google and Alphabet services and infrastructure.

Eligibility

To participate in the VRP, you must:

• Be at least 18 years old (or the age of majority in your jurisdiction)
• Not be a Google or Alphabet employee
• Not be prohibited by law from participating
• Comply with all applicable laws and regulations

Vulnerability Scope

Eligible vulnerabilities include but are not limited to:

• Remote code execution
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Authentication and authorization flaws
• Insecure data exposure
• Information disclosure
• Denial of service
• Business logic flaws

Disclosure Guidelines

1. Responsible Disclosure: Researchers must follow responsible disclosure practices
2. Report Process: Submit findings through the official VRP submission portal
3. Confidentiality: Keep vulnerability details confidential until Google notifies you permission to disclose
4. No Public Disclosure: Do not publicly disclose vulnerabilities before receiving written permission from Google
5. Single Submission: Submit each vulnerability only once; do not duplicate reports across multiple channels

Bounty and Rewards

• Bounty amounts vary based on severity, impact, and quality of the report
• Google reserves the right to determine bounty amounts at its sole discretion
• Payment is made upon successful reproduction and verification of the vulnerability
• Bounty payments are made via wire transfer or other mutually agreed methods

Safe Harbor

Google commits to:

• Not pursuing civil or criminal action against researchers acting in good faith
• Not violating laws during good faith security research activities
• Handling reports confidentially and professionally

Rules and Requirements

• Do not access or modify user data beyond what is necessary to validate the vulnerability
• Do not disrupt service availability or stability
• Do not engage in social engineering, phishing, or physical security testing
• Obtain proper authorization before testing
• Do not publicly disclose vulnerabilities without written permission
• Follow all applicable laws and regulations

Submission Requirements

Include with your report:

• Clear description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Recommended remediation