Google: AI bug bounty programme pays up to 30,000 US dollars per bug
Google introduces a bug bounty programme for AI applications. Discoverers of serious errors in Gemini or the AI search receive rewards.
Google Gemini app.
(Image: mundissima/Shutterstock.com)
Two years after expanding the bug bounty program to include AI products, Google is now introducing its reward program specifically designed to find bugs in AI products. Particularly dangerous exploits can earn the finders up to 30,000 dollars.
As Google writes in its announcement of the new AI bug bounty program, the integration of AI issues into the “Abuse Vulnerability Reward Program” (VRP) was “a great success for Google's collaboration with AI researchers.” The researchers involved in the VRP had “made some great discoveries.” External researchers have collected over 430,000 US dollars in rewards for their discoveries since the start of the AI program.
With the AI bug bounty program introduced on Monday, Google has formulated the requirements more clearly: it is not enough to simply make the AI hallucinate or make Gemini look stupid. Google's list of qualifying bugs includes prompt injections that are invisible to the victim and change the status of the victim's account or one of the associated products.
Videos by heise
Other unauthorized actions include modifying a person's account or data to compromise their security or do something undesirable; for example, an attacker using a manipulated Google Calendar entry to open smart shutters and switch lights on or off.
Big money for bugs discovered in Gemini and search
Google is offering researchers who succeed in uncovering serious security vulnerabilities up to 20,000 US dollars for well-made bug reports. These must affect the company's flagship AI products, i.e., search, the Gemini app, or important workspace apps such as Gmail and Drive.
Google has also adopted “bonus multipliers” from the previous bug bounty program for the quality and novelty of reports. This means that the reward for a single report could be up to 30,000 US dollars. The reward for bugs that IT security researchers find in other Google AI products such as Jules or AI Studio or for less serious bugs such as unauthorized product use, on the other hand, is lower.
CodeMender
In addition to the AI bug bounty program, Google's Deepmind has announced an AI agent called CodeMender, which is designed to patch vulnerable code. According to the company, the AI agent has already introduced 72 security fixes into open-source projects in the past six months, including some with up to 4.5 million lines of code. Deepmind has also designed CodeMender to proactively rewrite existing code to use more secure data structures and APIs, according to the announcement.
(afl)
