Google and Alphabet Vulnerability Reward Program (VRP) Rules

Program Overview

The Google and Alphabet Vulnerability Reward Program (VRP) is a program through which individuals can report security vulnerabilities affecting Google products and services in a responsible manner and potentially receive a monetary reward for their findings.

Eligibility

Participants must comply with all applicable laws and regulations. Employees of Google, Alphabet Inc., and their subsidiaries are not eligible for rewards.

Vulnerability Reporting

Security vulnerabilities must be reported responsibly and in good faith. Researchers should disclose vulnerabilities to Google before publicly disclosing them to others.

Scope

The VRP covers Google products and services. Specific in-scope targets may be listed separately on the program page.

Safe Harbor

Google recognizes the importance of security research and commits to not taking legal action against researchers who:

• Report vulnerabilities in good faith
• Avoid privacy violations and damage to data
• Do not access more data than necessary
• Do not modify or delete data
• Do not disrupt services
• Comply with the program rules and guidelines

Rewards

Monetary rewards may be offered for eligible vulnerability reports, based on severity and impact. Reward amounts vary depending on the vulnerability classification and the product affected.

Responsible Disclosure

Researchers must allow Google reasonable time to investigate and remediate reported vulnerabilities before public disclosure. The standard disclosure timeline is 90 days from initial report, though this may be extended in certain circumstances.

Code of Conduct

All participants must conduct themselves professionally and ethically. Google reserves the right to disqualify participants who violate the program rules or act in bad faith.