Google expands bug bounty program to include fraud protection bypass, free purchases

External attack vectors and techniques which bypass spam and fraud systems are now part of the program.
Written by Charlie Osborne, Contributing Writer

Google has expanded its bug bounty program to include external attack techniques and vectors which threat actors may exploit to bypass abuse, fraud, and spam systems developed by the company.

On Wednesday, Android software engineer Eric Brown and program manager Marc Henson said in a blog post that the Google Vulnerability Reward Program, which has issued over $12 million in rewards for vulnerability reports to date, will now reward researchers who help the company "mitigate potential abuse methods."

This may include bypassing account recovery systems en masse -- reminiscent of the recent Instagram issue, in which hundreds of users are reportedly unable to access their accounts -- security holes which allow brute-force attacks to occur, the circumvention of restrictions on content use and sharing, or exploits which make it possible to purchase items from Google without payment.

See also: Microsoft Patch Tuesday: 60 vulnerabilities resolved including two active exploits

"Valid reports tend to result in changes to the product's code, as opposed to removal of individual pieces of content," the company added.

TechRepublic: Why Amazon, Microsoft, and Google will remain dominant in the cloud

However, product-specific cases of individual instances of abuse are not included.

In principle, any Google service could be included in the bug bounty extension, including the main .google.com, blogger.com, and youtube.com domains, as well as smart home devices created by the developer, the Google Cloud platform, and browser extensions.

Google is always interested in receiving vulnerability reports including XSS flaws, authentication issues, and server-side bugs. In May, for example, a student was awarded $36,000 for uncovering a remote code execution flaw in the Google App Engine.

CNET: Google Coach wearable AI assistant may motivate you to get in shape

Coding errors and programming problems which could permit the circumvention of abuse, fraud, and spam systems, are now just as acceptable.

The practice is not new as the tech giant has been rewarding these types of reports over the past few years but now such findings will be officially acknowledged and rewarded. It is not known, however, what the financial worth of such reports is.

Previous and related coverage

Editorial standards