Google has extended its Vulnerability Rewards Program to cover bugs relating to generative AI in a move that will benefit both developers and consumers.
The company’s bug bounty program is already a well-known initiative designed to keep users safe, and has paid out millions in rewards over the years, including more than $12 million in 2022 alone.
Extending its VRP to cover under-the-radar faults with GenAI is another way of ensuring responsible AI, says the company, which earlier this year committed to advancing the discovery of vulnerabilities in AI systems together with other leading AI companies.
Google announces VRP for AI
Speaking about a new generation of vulnerabilities that need addressing, Trust & Safety VP Laurie Richardson and Privacy, Safety, and Security Engineering VP Royal Hansen said:
“Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or misinterpretations of data (hallucinations).”
They added: “We expect this will spur security researchers to submit more bugs and accelerate the goal of a safer and more secure generative AI.”
A set of guidelines for the AI-focused portion of Google’s VRP has been published, and set out a series of cases that would be considered in scope.
More broadly, Google’s Vulnerability Rewards Program pays between $500 and $31,337 for the highest severity vulnerabilities that permit the takeover of a Google account. Even the lowest eligible security vulnerability rewards promise to pay out $100.
Richardson and Hansen summarize the announcement: “Our hope is that by incentivizing more security research while applying supply chain security to AI, we’ll spark even more collaboration with the open source security community and others in industry, and ultimately help make AI safer for everyone.”
