Elite hackers aren't the only thing Google has to worry about when it comes to its platforms. Perhaps just as pernicious are simple abuses of its systems and products — often stumbled upon by an average person with too much time on their hands. For instance, finding ways to purchase items from Google without paying, or getting around restrictions on content use and sharing. It's these issues that the Mountain View tech giant is aiming to uncover by officially expanding its Vulnerability Reward Program to include reports on techniques to successfully bypass its abuse, fraud and spam systems.
The practice isn't brand new — Google's been rewarding these types of bug reports for around two years — but it is now explicitly encouraged by the company. In addition to the examples listed above, the company offered a few more instances of potentially valid reports, including identifying a technique that would allow bypassing account recovery systems at scale, or reporting services that are vulnerable to brute-force attacks — meaning attacks that use software to gain info such as a password or PIN through trial and error.
These bugs take a bit of know-how to spot, but are still more accessible to the budding penetration tester than the security vulnerabilities generally associated with the Vulnerability Reward Program.
Google does caution that not every individual instance of abuse is necessarily worth reporting, however — for instance, content that violates its guidelines and policies or spam emails would be outside the purview of this initiative. To this point, valid reports will tend to result in changes to the product's code, not just the removal of a piece of content.
Google reported in February of this year that the Vulnerability Rewards Program has paid out roughly $12 million since its inception in 2010. In 2017 alone, it paid out $2.9 million dollars through the program. With this new expansion, the software company will likely be looking at an even bigger bill next next year.