Google’s new AI bug bounty program pays up to $30,000 for flaws


This week, Google has launched an AI Vulnerability Reward Program dedicated to security researchers who find and report flaws in the company’s AI systems.

The new bug bounty program focuses on the most impactful issues in the highest-profile AI products, including but not limited to Google Search (on google.com), Gemini Apps (Web, Android, and iOS), and Google Workspace core applications (e.g., Gmail, Drive, Meet, Calendar, and others).

Other in-scope products include AI features in high-sensitivity Google AI products, such as AI Studio and Jules, as well as Google Workspace non-core apps and other AI integrations in Google products.

The rewards for vulnerabilities can reach up to $30,000 for individual quality reports with novelty bonus multipliers, while a standard security flaw report detailing security bugs that could trigger rogue actions in a flagship product comes with a top bounty of up to $20,000.

Researchers can also get a $15,000 award for sensitive data exfiltration bugs, and up to $5,000 for phishing enablement and model theft issues.

Category / VRP Product Tier Flagship Standard Other
S1: Rogue Actions $20,000 $15,000 $10,000
S2: Sensitive Data Exfiltration $15,000 $15,000 $10,000
A1: Phishing Enablement $5,000 $500 credit
A2: Model Theft $5,000 $500 credit
A3: Context Manipulation $5,000 $500 credit
A4: Access Control Bypass $2,500 $250 credit
A5: Unauthorized Product Usage $1,000 $100 credit
A6: Cross-user Denial of Service $500 $100 credit

“In October 2023, we announced Google’s reward criteria for reporting bugs in AI product, extending our Abuse Vulnerability Reward Program (VRP) to foster third-party discovery and reporting of issues and vulnerabilities specific to our AI systems,” Google said.

“As we celebrate the second year of AI bug bounties at Google, we’re excited to discuss what we’ve learned, and to announce the launch of our new, dedicated AI Vulnerability Reward Program!”

In March, the company also announced that it had awarded almost $12 million in bug bounty rewards to 660 researchers who discovered and reported security bugs through the company’s Vulnerability Reward Program (VRP) in 2024.

Google has awarded $65 million in bug bounties since its first vulnerability reward program went live in 2010, with the highest reward paid last year exceeding $110,000.

One year earlier, in 2023, the search giant also paid $10 million to 632 researchers for responsibly reporting security flaws in its products and services.

Picus BAS Summit

Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.

Don’t miss the event that will shape the future of your security strategy



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.