Systems Sandboxing

Many Google services allow users to run code on Google servers (Google Apps Scripts, App Engine, Compute Engine, and so on), in addition, we frequently run a variety of open source software in our services that potentially have dangerous code execution vulnerabilities. To protect against those problems, we use a careful defense-in-depth strategy to limit the impact of a vulnerability. As part of Google's Vulnerability Reward program getting to the point of receiving a sandbox violation is in scope. Security researchers should stop and immediately contact us as soon as they find vulnerabilities, even if they are preempted by a sandbox.

Note that if you are interested about researching into the security of sandboxes, you can also be rewarded for research into the Chrome Sandbox, and Native Client, as well as via the Internet Bug Bounty for other Operating System sandboxes.