How Google handles security vulnerabilities

As a provider of products and services for many users across the Internet, we recognize how important it is to help protect user privacy and security. We understand that secure products are instrumental in maintaining the trust users place in us and we strive to create innovative products that both serve user needs and operate in the user’s best interest.

This site provides information for developers and security professionals.

If you are a Google user and have a security issue to report regarding your personal Google account, please visit our contact page. To find out how to stay safe online, take the Google Security Checkup.

Reporting security issues

If you believe you have discovered a vulnerability in a Google product or have a security incident to report, go to goo.gl/vulnz to include it in our Vulnerability Reward Program. Upon receipt of your message we will send an automated reply that includes a tracking identifier. If you feel the need, please use our PGP public key to encrypt your communications with us.

Google’s vulnerability disclosure policy

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why Google adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. That deadline can vary in the following ways:

CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we ensure that a CVE has been pre-assigned.

As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard.

This policy is strongly in line with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over deadline. We call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our record and reasoning compelling. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.