The world's largest search engine and cloud services provider, handling billions of queries daily across Search, Gmail, Drive, Cloud Platform, and Android.
https://google.comMax Reward
$31,337
Total Paid
$12,400,000
Resolved
892
Avg Response
3 days
In-Scope Assets
*.google.com
All Google web properties including Search, Gmail, Drive, Maps
Google Cloud Platform
GCP console, APIs, IAM, and compute services
Android OS
Android operating system and core applications
Chrome Browser
Chromium-based browser and extensions platform
Out of Scope
- ✕ Google Ads third-party creatives
- ✕ Social engineering attacks
- ✕ DoS/DDoS attacks
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (3)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| GOOG-001 | Stored XSS via malformed Gmail attachment filename | High | Open | $5,000–$10,000 | 2 |
| GOOG-002 | CSRF on Google Cloud IAM role assignment endpoint | Critical | In Review | $10,000–$31,337 | 1 |
| GOOG-003 | OAuth token leakage via redirect_uri mismatch in GCP console | High | Open | $5,000–$10,000 | 0 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.