Common types of non-qualifying reports

In Google VRP, we welcome and value reports of technical vulnerabilities that substantially affect the confidentiality or integrity of user data.

Unfortunately, approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security. The experience of reporting an issue and not qualifying for a reward can be disappointing to less experienced researchers - and the high volume of submissions makes it harder for us to spot valid, high impact reports.

In the spirit of openness, we decided to publish a discussion of some of the most common non-qualifying report types, with a brief explanation of our reasoning behind not treating them as a security risk or otherwise not paying out rewards.

Web Services and Chrome Extensions