Google this week introduced a brand new devoted AI Vulnerability Reward Program (VRP) that builds on the 2023 Abuse VRP extension overlaying points and vulnerabilities in its AI methods.
Up to now, bug hunters have earned greater than $430,000 in rewards for AI-product associated vulnerabilities, and the brand new VRP builds on that momentum and has been formed based mostly on the suggestions obtained from taking part researchers.
Some of the necessary features of the brand new AI bug bounty program is that immediate injections, jailbreaks, and alignment points aren’t in its scope. Nonetheless, Google encourages researchers to report these content-related points as nicely.
“We don’t consider a Vulnerability Reward Program is the appropriate format for addressing content-related points. The first objective of our VRP is to encourage researchers to report safety vulnerabilities and abuse points on to Google, and to supply well timed, useful rewards to incentivize these reviews,” Google explains.
All Google AI merchandise, the corporate says, have in-product performance that can be utilized to report content-based points. Such reviews ought to embrace data on the used mannequin, context, and different metadata.
Throughout the AI VRP scope, nonetheless, the corporate has included assaults that modify a sufferer’s account or knowledge, leak delicate data with out consumer approval, exfiltrate mannequin parameters, result in the persistent manipulation of a sufferer’s AI surroundings, result in the exfiltration of information, allow server-side options with out authorization, or trigger persistent denial-of-service (DoS).
Assaults that allow phishing by way of persistent, cross-user injection of HTML code on Google-branded websites with no “user-generated content material” warning are additionally inside scope, if they’re deemed a convincing assault vector.
As a part of this system, Google’s AI merchandise are cut up into three tiers, particularly flagship (contains AI options on Google Search, Workspace core functions, and Gemini Apps), normal (AI options in AI Studio, Jules, and Google Workspace non-core functions), and different (different AI integrations in Google merchandise, with sure exceptions).Commercial. Scroll to proceed studying.
The best rewards provided as a part of the brand new VRP are $20,000 for assaults resulting in sufferer account or knowledge modifications in flagship merchandise. For comparable assaults in normal merchandise, researchers can earn rewards of as much as $15,000.
The best reward for delicate knowledge exfiltration from flagship and normal merchandise is of $15,000. Researchers who discover these points in merchandise from the ‘different’ tier can earn rewards of as much as $10,000.
“Going ahead, a unified reward panel will assessment all rewards, and can subject the very best reward doable throughout the abuse and safety tables,” Google says.
Extra data on the AI VRP could be discovered on this system’s guidelines web page.
Associated: $4.5 Million Supplied in New Cloud Hacking Competitors
Associated: Researchers Earn $150,000 for L1TF Exploit Leaking Information From Public Cloud
Associated: Google Paid Out $12 Million through Bug Bounty Packages in 2024
Associated: Microsoft Boosts .NET Bounty Program Rewards to $40,000
