About This Section

Welcome to the VRP rules section! Here, you’ll find an overview of the different vulnerability reward programs Google maintains, as well as guidance on related programs. See the below sections for an overview of the available programs, their scope, and where to report issues or submit contributions. Happy bug hunting!

If you have questions related to our handling of submitted security reports or the general functionality of the bughunters.google.com site, see our FAQ page.

Tip: Not sure which program to report the issue you've discovered to? When in doubt, report to the Google and Alphabet Vulnerability Reward Program (VRP).

Android & Friends

Program name Scope Where to report
Android and Google Devices Security Reward Program (rules) Security issues affecting Pixel, Smart Home, Google Nest, Home APIs, Pixel Watch, and Fitbit devices and their latest operating systems Use the standard form (report to Android & Devices VRP)
Google Mobile Vulnerability Reward Program (rules) Security issues affecting first-party Android applications Use the standard form (report to Mobile VRP)

Chrome & Friends

Program name Scope Where to report
Chrome Extensions Vulnerability Reward Program (rules) Security issues in first-party Chrome extensions Use the standard form (report to Chrome Extensions VRP)
Chrome Vulnerability Reward Program (rules) Security issues affecting the Chrome Browser Use the Chromium issue tracker submission form

Alternatively, you can report issues via the standard form (report to Chrome VRP)
ChromeOS Vulnerability Reward Program (rules) Security issues affecting Chromebooks and the ChromeOS ecosystem Use the standard form (report to ChromeOS VRP)

Google & Friends

Program name Scope Where to report
Abuse Vulnerability Reward Program (rules) Security issues that identify abuse-related methodologies Use the standard form (report to Abuse VRP)
Cloud Vulnerability Reward Program (rules) Security issues affecting any Google Cloud product or web service that handles reasonably sensitive user data Use the standard form (report to Cloud VRP)
Google and Alphabet Vulnerability Reward Program (VRP) (rules) Security issues affecting any Google-owned or Alphabet (Bet) subsidiary web service that handles reasonably sensitive user data Use the standard form (report to Google VRP)

Open Source

Program name Scope Where to report
Google Open Source Software Vulnerability Reward Program (rules) Security issues affecting open source software stored in the public repositories of Google-owned GitHub organizations and selected repositories hosted on other platforms Use the standard form (report to OSS VRP)
Open Source Security Subsidies (rules) Closed for submission of new nominations from December 2024! For more details, see the rules.

Claiming upfront financial support to enable open source developers to prioritize security work
n/a
OSS-Fuzz Reward Program (rules) Rewards contributions to OSS-Fuzz, such as integrating new projects, improving existing projects, or adding ways to find new classes of vulnerabilities Submit contributions using the dedicated OSS-Fuzz form
Patch Rewards Program (rules) Rewards proactive improvements you've made to security in open source projects Submit patches using the dedicated Patch Rewards form
Tsunami Patch Rewards Program (rules) Rewards contributions to Tsunami security scanners which enhance vulnerability detection and web application fingerprinting capabilities Submit a request using the dedicated Tsunami form; note that prior approval by the Tsunami scanner team is required (full application process)
InternetCTF Tsunami Patch Rewards Program (rules) Rewards contributions to discovering & reporting 0-day vulnerabilities in open source software and implementing Tsunami plugins to detect them Exfiltrate flags at InternetCTF and fill in the survey for vulnerability report and Tsunami plugin implementation (full application process)

Other

Program/topic name Scope Where to report
Bonus Awards (rules) Time-limited (extra) bonuses for reports to specific VRP targets Depends on the target the reward is available for
Our Rewards Philosophy (rules) Provides background on how we evaluate submitted reports and determine rewards n/a
Vulnerability Research Grant (rules) Provides upfront grants to encourage security research in a pre-defined area n/a