Google confirms AI is now in the realm of bounty hunting hackers AFP via Getty Images

Google has confirmed that it is expanding its existing Vulnerability Rewards Program (VRP) to embrace attack scenarios that feature generative AI. The newly revised bug bounty program encourages hackers to explore attack scenarios and uncover vulnerabilities that apply to Google’s AI systems and services.

Google’s AI Red Team mimics real hack attacks

In August, Google announced it had created an AI Red Team to combat the same types of attack methods used by nation-states, organized cybercrime groups and malicious insiders. Daniel Fabian, Head of Google Red Teams, said, “One of the key responsibilities of Google’s AI Red Team is to conduct relevant research and adapt it to work against real products and features that use AI to learn about their impact. Let’s do it for.” “We leveraged attackers’ tactics, techniques, and procedures (TTPs) to test a range of system defenses.”

Google AI Bug Bounty Hackers Have to Play by the Rules

Now, hackers outside the AI ​​Red Team and outside Google can look for weak points in Google’s AI systems. The difference is that these hackers must work within a strict framework that defines what is in or out of scope. They won’t have the same ‘anything goes’ approach to attacking simulations, but that doesn’t make AI bounty-hunting hackers any less important. Like any bug bounty program, there are guidelines on what types of vulnerabilities Google wants to uncover, what methods can be used to do so, and the process for both reporting and receiving payment for those found. . So, for example, quick injections that are invisible to victims and alter the state of the victim’s account or any of their assets are in scope. It is not advisable to use a product to generate infringing, misleading, or factually incorrect content, including ‘hallucinations’ and factually incorrect reactions. Equally, contexts where an adversary could trigger the misclassification of a security control to be misused for malicious use are within scope, but where it would lead to a “compelling attack scenario or the potential for harm to Google or the user.” route”, it is not in scope.

More from ForbesNo, 1Password is not just hacked – your passwords are safe

$12 million bug bounty bonanza

Google has confirmed that bounties will be paid for vulnerabilities disclosed under the VRP umbrella, with the amount of those bounties depending on “the severity of the attack scenario and the type of target affected.” However, in 2022, more than $12 million was paid to hackers in bounties that were part of a broader program.

“We look forward to continuing our work with the research community to find and fix security and abuse issues in our AI-powered features,” a Google spokesperson said, adding: “If you find a qualifying issue, Please visit our Bug Hunter website to send us your bug report and if the issue is found to be legitimate we will be rewarded for helping keep our users safe.”

Google’s confirmation regarding the new AI bug bounty program couldn’t be more timely. Announcing the Global AI Security Summit and the proposed AI Security Institute, UK Prime Minister Rishi Sunak gave a speech on October 26 in which he said that “criminals are vulnerable to cyber attacks, disinformation, fraud or even child sexual abuse.” “

“Generative AI is a double-edged sword, as the cybersecurity landscape is constantly evolving, the proliferation of generative AI only adds further complexity to the mix,” said Fabian Rech, Senior Vice President, Trelix. “With the first AI Security Summit starting next week, it is important for organizations to know what this will mean for the future of regulation with this emerging technology, and how businesses are expected to use and integrate it May go.”

More from ForbesAndroid users warned of 2 zero-day exploits, including spy-on-phone attack