How Google handles security vulnerabilities
If you are a Google user and have a security issue to report regarding your personal Google account, please visit our contact page. To find out how to stay safe online, take the Google Security Checkup.
If you believe you have discovered a vulnerability in a Google product or have a security incident to report, go to bughunters.google.com/report to include it in our Vulnerability Reward Program. Upon receipt of your message we will send an automated reply that includes a tracking identifier. If you feel the need, please use our PGP public key to encrypt your communications with us.
We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why Google adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. That deadline can vary in the following ways:
As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard.
