Google has now expanded its long-running Vulnerability Reward Program to include a number of exploits, workarounds, and other security flaws beyond system-level vulnerabilities. These types of issues have already seen some researchers earn a portion of the over $12 million already parceled out by the search giant since 2010. However, this is the first time they have been officially included as acceptable reports for the program. Google says its decision to make the change is driven by the fact that security problems don’t just include vulnerabilities. They also include ways to abuse how various Google systems, products, and offerings work in order to take part in malicious activities. As always, any reports filed with the company will be reviewed by its Trust & Safety team in order to assess the potential risks and the rewards to be doled out.
With the new guidelines officially in place, Google has shifted at least some of its focus away from solely looking for exploitable vulnerabilities and toward the prevention of issues caused by “potential abuse methods.” That means that reports can now cover methods to circumvent an account recovery systems or to enable a brute force attack. They could also include methods to overcome built-in restrictions in various services or ways to bypass systems that prevent piracy. According to Google, with a few exceptions, a valid report can include a huge variety of methods but will generally include weaknesses that allow a product’s code to be changed.
Other aspects of the program, meanwhile, are not being changed as part of the expansion. Problems associated with singular instances of abuse are not included in items that need to be sent to the program. For example, the posting of content that breaches policies associated with individual services such as Google Plus or YouTube will still need to be reported via the individual applications’ internal processes. The Vulnerability Rewards Program is only intended for research to find and bring forward problems found within the code or processes of an application itself. It also only encompasses the Google, Blogger, and YouTube domains. Low-level or known problems don’t typically result in a reward in exchange for the report.