Google is now offering rewards for newly-discovered techniques that bad actors could use to bypass its systems protecting against abuse, fraud and spam.
The company has expanded its bug bounty program scope beyond security vulnerabilities to also focus on mitigations around potential abuse methods across its product-specific channels like Google+, YouTube, Gmail and Blogger.
“For the past two years, some of these rewards were for bug reports that were not strictly security vulnerabilities, but techniques that allow third parties to successfully bypass our abuse, fraud and spam systems,” said Eric Brown and Marc Henson, with Google’s Trust and Safety team, in a Wednesday post. “Today, we are expanding our Vulnerability Reward Program to formally invite researchers to submit these reports.”
For instance, valid reports for the program could include bypassing Google’s account recovery systems at scale, identifying services that are open to brute-force attacks, discovering techniques for circumventing restrictions on content use and sharing, or purchasing items from Google without paying, the company said.
Google stressed that reporting individual instances of abuse (like posting content violating its guidelines, sent spam emails, or malware links) are not part of the program and should be reported through existing product specific channels.
“Valid reports tend to result in changes to the product’s code, as opposed to removal of individual pieces of content,” according to the post.
Reports should be submitted to Google’s Vulnerability Reward Program and will be reviewed by experts on the company’s Trust and Safety team, which specializes in the prevention and mitigation of abuse, fraud and spam activity on products.
Google did not respond by publication time to a request for comment from Threatpost on the rewards tied to such discoveries.
Google’s existing bug-bounty program, which launched in 2010, includes discovered flaws related to cross-site scripting, cross-site forgery, mixed-content scripts, authentication or authorization flaws, and server-side code execution flaws.
According to a year-end Google report, the threat-hunting program paid out $2.9 million in rewards overall in 2017. That includes a researcher collecting $112,500 for an exploit chain on Pixel phones, as well as a researcher receiving $100,000 for a chain of bugs in ChromeOS.