I want to report a technical security or an abuse risk related bug in a Google product (SQLi, XSS, etc.)

Are you a security researcher and want to report an issue you discovered? Go to g.co/vulnz.


Did you know?

Around 90% of reports we receive describe issues that are not security vulnerabilities, despite looking like one. For example:

  • I'm receiving e-mail messages addressed to another user with a similar name.
    It's most likely a typo made by that other person (please note that bob.foo@gmail.com is actually the same account as bobfoo@gmail.com). Go ahead and read this article for an explanation, it's not a bug.
  • XSS in translate.googleusercontent.com or yourblog.blogspot.com
    These are examples of sandbox domains created specifically to ensure that XSS there does not pose a risk to our users. It's not a vulnerability.
  • And there's lots more! If you are a security researcher, make sure to look at the articles on "Invalid reports" available on our Bug Hunter University before reporting an issue.

Further resources:

  • For information on protecting yourself and your personal information, please visit our Safety Center for tips on staying safe online.
  • To find answers to many common questions and concerns about privacy and user data related to any Google product or service, please visit our Privacy Help Center.