Researchers can earn bug bounty rewards of up to $101,010 for security defects impacting over 140 products and services under Google Cloud’s new Vulnerability Reward Program (VRP).
As part of the new VRP, which is dedicated to more than 460 products and services, security researchers will interact directly with Google Cloud security engineers, for faster triage, reproduction, and assessment of reports.
“While the broader Google VRP has covered Google Cloud until now, the launch of the Google Cloud-specific VRP enables us to invest more deeply to pursue a more secure cloud,” the company notes.
Interested researchers will continue to use the same reporting portal as for Google, Chrome, Android, and Abuse VRPs, and will benefit from an improved reward structure, the internet giant says.
As usual, researchers are advised to provide detailed reports regarding the identified attack scenario, and to follow the VRP’s guidance to make it easy for Google’s engineers to reproduce the bug.
“Make sure to outline who would want to exploit a particular vulnerability and what they may gain. As you explain these attack scenarios, you’ll want to think about the starting position of the attacker and any prerequisites for the attack. It’s also best to articulate assumptions about the victim,” the company says.
On the VRP’s rules page, Google Cloud explains that cross-site scripting, cross-site request forgery, mixed-content scripts, authentication/authorization, server-side code execution, and XSLeak (cross-site leak) bugs are within the program’s scope.
It also explains that security defects leading to remote code execution, fully controlled RPCs (Remote Procedure Calls), and full control or bypass of all IAM checks could bring researchers the top rewards.
Flaws leading to other types of IAM bypasses and cross tenant data breaches are eligible for rewards of up to $50,000.
To qualify for the maximum bug bounty reward, participants will have to demonstrate the actual security impact of the vulnerability and to provide high-quality reports. Those who provide reports of exceptional quality may earn 1.5x the reward amount.
“When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google,” the internet giant notes.
Related: Google Now Offering Up to $250,000 for Chrome Vulnerabilities
Related: Google Play Bug Bounty Program Shutting Down
Related: Singapore Government Launches New Bug Bounty Program
Related: FireEye Launches Public Bug Bounty Program on Bugcrowd
Related: Four Things to Consider as You Mature Your Threat Intel Program
