
"On Monday, Google security engineering managers Jason Parsons and Zak Bennett said in a blog post that the new program, an extension of the tech giant's existing Abuse Vulnerability Reward Program (VRP), will incentivize researchers and bug bounty hunters to focus on "high-impact abuse issues and security vulnerabilities" in Google products and services."
"Rogue actions: Attacks that modify accounts or data with a security impact. For example, the use of an indirect prompt to force Google Home to unlock a door. Sensitive data theft: Attacks leading to the theft of sensitive user data. These could include indirect prompt injections that send email summaries to a threat actor without user consent. Phishing enablement: Phishing attack vectors on Google websites that include persistent, cross-user HTML injections. Model theft: Security problems that could allow attackers to steal complete, confidential model parameters, such as exposed Google APIs. Context manipulation: Issues leading to the persistent manipulation of an AI environment without significant user interaction. Access control bypass: Attacks leading to data exfiltration from resources that shouldn't be accessible."
"Researchers have earned more than $430,000 since 2023, when Google's bug bounties expanded to include AI-related issues. Rewards range from $500 to $30,000."
Google launched a standalone bug bounty program focused on vulnerabilities in AI products and services. The program extends the Abuse Vulnerability Reward Program (VRP) to incentivize researchers and bug hunters to report high-impact abuse issues and security vulnerabilities. In-scope categories include rogue actions, sensitive data theft, phishing enablement, model theft, context manipulation, and access control bypass. Rewards for valid reports range from $500 to $30,000. Researchers have already earned over $430,000 since 2023 when AI-related issues were first included. The program aims to clarify in-scope bugs and encourage increased reporting to improve product security.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]