Google this week announced a new dedicated AI Vulnerability Reward Program (VRP) that builds on the 2023 Abuse VRP extension covering issues and vulnerabilities in its AI systems.
To date, bug hunters have earned more than $430,000 in rewards for AI-product related vulnerabilities, and the new VRP builds on that momentum and has been shaped based on the feedback received from participating researchers.
One of the most important aspects of the new AI bug bounty program is that prompt injections, jailbreaks, and alignment issues are not in its scope. However, Google encourages researchers to report these content-related issues as well.
“We don’t believe a Vulnerability Reward Program is the right format for addressing content-related issues. The primary goal of our VRP is to encourage researchers to report security vulnerabilities and abuse issues directly to Google, and to provide timely, valuable rewards to incentivize those reports,” Google explains.
All Google AI products, the company says, have in-product functionality that can be used to report content-based issues. Such reports should include information on the used model, context, and other metadata.
Within the AI VRP scope, however, the company has included attacks that modify a victim’s account or data, leak sensitive information without user approval, exfiltrate model parameters, lead to the persistent manipulation of a victim’s AI environment, lead to the exfiltration of data, enable server-side features without authorization, or cause persistent denial-of-service (DoS).
Attacks that enable phishing through persistent, cross-user injection of HTML code on Google-branded sites without a “user-generated content” warning are also within scope, if they are deemed a convincing attack vector.
As part of the program, Google’s AI products are split into three tiers, namely flagship (includes AI features on Google Search, Workspace core applications, and Gemini Apps), standard (AI features in AI Studio, Jules, and Google Workspace non-core applications), and other (other AI integrations in Google products, with certain exceptions).
The highest rewards offered as part of the new VRP are $20,000 for attacks leading to victim account or data modifications in flagship products. For similar attacks in standard products, researchers can earn rewards of up to $15,000.
The highest reward for sensitive data exfiltration from flagship and standard products is of $15,000. Researchers who find these issues in products from the ‘other’ tier can earn rewards of up to $10,000.
“Going forward, a unified reward panel will review all rewards, and will issue the highest reward possible across the abuse and security tables,” Google says.
Additional information on the AI VRP can be found on the program’s rules page.
Related: $4.5 Million Offered in New Cloud Hacking Competition
Related: Researchers Earn $150,000 for L1TF Exploit Leaking Data From Public Cloud
Related: Google Paid Out $12 Million via Bug Bounty Programs in 2024
Related: Microsoft Boosts .NET Bounty Program Rewards to $40,000