Bugs in recent acquisitions

Although the reports often deal with real vulnerabilities, we pragmatically decided to establish a six-month blackout period for any newly announced Google acquisitions before they can qualify for a reward. This is to allow time for the acquisition to formally close, for the engineers to decide which systems will be sunset and which ones will continue to operate, and for us to do due diligence and fix most of the low-hanging bugs.

Valid reports made within the blackout period will be of course honored and taken up with the product teams, but with rare exceptions, they won't qualify for rewards.

If you are unsure about eligibility of a particular acquisition, be sure to check our official blogs and the list of Google acquisitions and mergers on Wikipedia. If in doubt, it may make sense to ping us first.