Google and Alphabet Vulnerability Reward Program (VRP) Rules

Program Overview

The Google and Alphabet Vulnerability Reward Program (VRP) is designed to recognize and reward security researchers who help improve the security of Google products and services.

Eligibility

• You must be the first to report a vulnerability
• You must not be a Google employee or contractor
• You must comply with all program rules and applicable laws
• You must be at least 18 years old (or meet the minimum age requirement in your jurisdiction)

Vulnerability Types

The following types of vulnerabilities are eligible for rewards:

• Remote Code Execution
• Authentication and Authorization flaws
• SQL Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Information Disclosure
• Denial of Service
• Logic errors affecting security
• Other vulnerabilities with security impact

Disclosure Guidelines

• Report vulnerabilities directly through the official VRP submission form
• Do not disclose vulnerabilities publicly or to third parties without prior written permission
• Do not access or modify user data
• Do not perform testing on production systems without authorization
• Do not conduct attacks that impact other users
• Provide sufficient detail for Google to reproduce and verify the vulnerability
• Allow reasonable time for Google to investigate and fix issues before public disclosure

Bounty Rewards

Rewards are determined based on:

• Severity of the vulnerability
• Impact to users
• Quality of the report
• Cooperation with the security team

Bounty amounts vary and are decided at Google's discretion.

Safe Harbor

Google commits to:

• Not pursuing legal action against security researchers conducting testing in good faith
• Protecting researcher identity where possible
• Working with researchers to address vulnerabilities responsibly

Scope

Testing is limited to Google and Alphabet properties. Researchers must only test systems for which they have been granted explicit permission. Unauthorized testing is prohibited.