Google has been running various bug bounty programs since 2010. In this time-span, the company has covered a plethora of issues that caused over $12 million to be paid out for various bugs caught. It was not just solely bugs that were targeted in these programs, however, as Google also indirectly used such programs to strengthen their abuse, fraud, and spam protections. Based on this past success, the Google bug bounty program has been expanded with new rewards for those who successfully spot even more abuse, fraud, and spam.
In a post by Eric Brown and Marc Henson of Google’s Trust & Safety division, it was stated how Google was officially expanding its Vulnerability Reward Program to “formally invite researchers to submit these reports.” The specific parameters and goals of this expanded program were outlined as follows:
This expansion is intended to reward research that helps us mitigate potential abuse methods. A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying. Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content.”
The post also made it clear that the Vulnerability Reward Program would not deal with specific instances involving posted content that violate Terms of Service, spam emails, or other issues like linking to malware. The goal of this Google bug bounty program expansion is to deal with more technical issues that can be catastrophic if left unchecked. For the issues that are mentioned as being outside of the scope of this program, Google recommends reporting such issues to the websites they occur on (YouTube, Google+, etc.).
Google is such a massive company, and as such, it is not implausible to imagine that there are tons of errors to be exploited in this new area of bounties. The researchers that uncover these issues under this new Google bug bounty program will likely make a decent sum of cash, and if so, lucky them.