Google has unveiled a new AI Vulnerability Reward Program (VRP), offering payouts of up to $30,000 for researchers who successfully identify and report security flaws in its AI products, including its flagship Gemini platform.
This new program is an evolution of Google’s earlier efforts to incentivize ethical hacking and vulnerability reporting, particularly after the expansion of its Abuse VRP in 2023. That earlier initiative, which integrated AI into the traditional vulnerability reward system, yielded promising results.
Since its inception, over $430,000 has been awarded to researchers for findings related solely to AI products. The success of that effort, as acknowledged by Security Engineering Managers Jason Parsons and Zak Bennett, laid the groundwork for launching a more defined and comprehensive reward system focused exclusively on AI.
Why the New Google AI VRP?
Google admits that until now, the scope of AI-related bug reports was ambiguous. Researchers were unsure which types of issues qualified for rewards and where to report certain bugs. As a response, the company has created a standalone AI VRP, combining both security vulnerabilities and abuse issues under a single reward structure.
Parsons and Bennett noted that the lack of clarity was a key concern: “We’ve heard that the scope of AI rewards wasn’t always clear,” they said. The updated program addresses this by defining specific categories and aligning rewards based on impact, novelty, and product sensitivity.
What Counts as Vulnerability?
The AI VRP outlines eight distinct categories, ranging from S1 to A6:
- S1: Rogue Actions – Attacks that can alter a victim’s account or data with significant security consequences (up to $20,000).
- S2: Sensitive Data Exfiltration – Leaks involving personal or sensitive data.
- A1 to A6 – Cover scenarios such as phishing enablement, model theft, context manipulation, access control bypass, unauthorized product usage, and cross-user denial of service.
Depending on the severity and creativity of the report, bonuses can raise the total reward to $30,000.
What’s Not Covered?
Google has made it clear that content-related issues, such as hallucinations, alignment problems, prompt injections, and jailbreaks, are not covered under the AI VRP. These issues, though acknowledged as important, require long-term analysis and model refinement, which doesn’t align with the structure of VRPs. Instead, Google urges users to report these issues using in-product feedback tools.
“We don’t believe a Vulnerability Reward Program is the right format for addressing content-related issues,” the company states, adding that such concerns need cross-disciplinary solutions involving model updates, content reviewers, and broader trend analysis.
Still, the company encourages users to continue submitting such feedback — just through the right channels.
Key AI Products in Scope
Google has categorized its AI products into three tiers under the new VRP:
- Flagship Tier: Includes high-profile tools like Google Search, Gemini Apps (across Web, Android, iOS), and core Google Workspace apps such as Gmail, Docs, Sheets, and Meet. These offer the highest payouts.
- Standard Tier: Covers products like AI Studio, Jules, and non-core Workspace tools like NotebookLM and AppSheet.
- Other Tier: Encompasses miscellaneous AI features in lesser-known or third-party products, often rewarded with credits instead of cash.
Notably, issues related to Vertex AI and gemini-cli remain under the jurisdiction of the Google Cloud VRP, not the AI VRP.
Reward Breakdown
Here’s how payouts are structured:
Category | Flagship | Standard | Other |
S1: Rogue Actions | $20,000 | $15,000 | $10,000 |
S2: Sensitive Data Exfiltration | $15,000 | $15,000 | $10,000 |
A1–A6 | Ranges from $5,000 to $500 | Credits in some cases |
These figures can increase with multipliers for report quality and novelty. A truly innovative vulnerability report, particularly if it can hack Gemini or another flagship product, could earn up to the $30,000 maximum.