From June 2023, the Google VRP offers time-limited bonuses for reports to specific VRP targets to encourage security research in specific products or services. These bonuses will be rewarded as an additional percentage on top of a normal reward. Bonuses will only be applied to VRP submissions received in the specified time range.

From September 2023, this bonus will also apply to qualifying Google Mobile VRP vulnerabilities and abuse-related methodologies.

Bonus targets, dates, and amounts will be announced in advance via twitter.com/GoogleVRP and on bughunters.google.com in our News section.

For example: A 50% bonus on a $1000 Google VRP reward will result in an additional payment of $500.

The final amount and bonus applicability is always chosen at the discretion of the reward panel.

Legal

We are unable to receive reports and/or issue rewards to individuals or entities that are on sanctions lists, or who are in territories subject to sanctions (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic). Additionally, due to administrative difficulties, we no longer issue rewards to individuals or entities located in Russia.

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter the program depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.

To avoid potential conflicts of interest, we will not grant rewards to people employed by Google or Google Partner companies who develop software covered by this program.