Introducing Google Cloud’s new Vulnerability Reward Program

Introducing Google Cloud’s new Vulnerability Reward Program

Vulnerability reward programs play a vital role in driving security forward. By incentivizing security research, vulnerabilities can be found and fixed by vendors before they are potentially exploited by malicious actors, protecting users and strengthening security posture. Also known as bug bounties, Google has long been a leader in supporting them, and they are now an integral part of the security landscape.

As part of our commitment to security, we are pleased to announce the launch of the Google Cloud Vulnerability Reward Program (VRP), dedicated to products and services that are part of Google Cloud. The Google Cloud VRP will continue to focus on coordinating new vulnerabilities and compensating security researchers for helping us in our mission, and offers a top award of $101,010. 

Delivering the most secure cloud

While the broader Google VRP has covered Google Cloud until now, the launch of the Google Cloud-specific VRP enables us to invest more deeply to pursue a more secure cloud. With this launch, we are better aligning our rewards with our top cloud products, resulting in over 150 products coming under the top two reward tiers. 

Additionally, vulnerability researchers will now be directly interacting with our Google Cloud security engineers. Their interactions will enable us to more quickly triage, reproduce, and assess the impact of security research reports. While the new Google Cloud VRP offers an improved reward structure focused on Google Cloud, researchers will still receive the same high quality engagement, transparency, and communication that they have come to expect from the Google VRP.

How to submit a vulnerability to Google Cloud

To streamline vulnerability reporting, researchers should continue to use the same reporting portal that they use for the Google, Chrome, Android, and Abuse VRPs. 

To tell us about a vulnerability, please follow these guidelines:

  • From the portal, start a report for any Google Cloud product or service. 

  • Under Bug Location, select Cloud VRP.

  • Follow our guidance to make it easy for us to quickly reproduce the bug. The easier it is for us to reproduce the attack by following your description, the more streamlined communications will be with our team.

Be as detailed as possible regarding the attack scenario. Make sure to outline who would want to exploit a particular vulnerability and what they may gain. As you explain these attack scenarios, you’ll want to think about the starting position of the attacker and any prerequisites for the attack. It’s also best to articulate assumptions about the victim.

Helping us to quickly reproduce a vulnerability, and understand the attack scenario, can make it easier for us to accurately assess the impact of the vulnerability — and fix the issue quickly. While finding coding flaws is fun, we also want to see our bug hunting community become successful, and that means clearly articulating complex real-world attack scenarios.

VRPs have become such an important part of a robust, mature security program that they can even help organizations achieve their digital transformations. The Google Cloud VRP team and our security engineers look forward to partnering with all of our researchers to help collectively secure the cloud.