Bug Bounty and Vulnerability Reward Programs

Bug bounty programs can provide useful input into a mature security program as long as they are properly scoped and managed. Many companies choose to run security programs that offer rewards for reported bugs or security issues, including the Google Vulnerability Reward Program.

The quality of these programs varies based on a number of factors, including scope, exclusions, repeatability, reward, interest, program visibility, etc. As such, it is very hard to measure their overall quality and coverage, which are key indicators of a high quality penetration test. Based on these considerations, Google is not able to accept reports from bug bounty programs or providers as a replacement for a third-party penetration test.