Google and Alphabet Vulnerability Reward Program (VRP) Rules
Program Overview
The Google and Alphabet Vulnerability Reward Program (VRP) is designed to recognize and reward security researchers who help improve the security of Google products and services.
Eligibility
- You must be the first to report a vulnerability
- You must not be a Google employee or contractor
- You must comply with all program rules and applicable laws
- You must be at least 18 years old (or meet the minimum age requirement in your jurisdiction)
Vulnerability Types
The following types of vulnerabilities are eligible for rewards:
- Remote Code Execution
- Authentication and Authorization flaws
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Information Disclosure
- Denial of Service
- Logic errors affecting security
- Other vulnerabilities with security impact
Disclosure Guidelines
- Report vulnerabilities directly through the official VRP submission form
- Do not disclose vulnerabilities publicly or to third parties without prior written permission
- Do not access or modify user data
- Do not perform testing on production systems without authorization
- Do not conduct attacks that impact other users
- Provide sufficient detail for Google to reproduce and verify the vulnerability
- Allow reasonable time for Google to investigate and fix issues before public disclosure
Bounty Rewards
Rewards are determined based on:
- Severity of the vulnerability
- Impact to users
- Quality of the report
- Cooperation with the security team
Bounty amounts vary and are decided at Google's discretion.
Safe Harbor
Google commits to:
- Not pursuing legal action against security researchers conducting testing in good faith
- Protecting researcher identity where possible
- Working with researchers to address vulnerabilities responsibly
Scope
Testing is limited to Google and Alphabet properties. Researchers must only test systems for which they have been granted explicit permission. Unauthorized testing is prohibited.