Q: Why did my profile picture fail to upload?

A: Ensure your image does not exceed the 1MB size limit.

Q: Why did my attachment fail to upload?

A: To debug, you should call the /import endpoint manually and look at the detailed error message in the response. The same applies to the /export endpoint for downloading attachments from a submission.

Q: Is the bug I reported fixed yet?

A: Look at the status of the bug with your report. If it’s Fixed, we believe it is – let us know if your testing shows we're wrong. If the status is Accepted, ask us. Some bugs may take longer to fix, depending on the severity, impact, product team priorities, and the fix complexity. For other statuses, there is usually no security bug for us to track.

Q: Why was my P1 bug not rewarded?

A: We use the priority of the report only to sort the incoming reports, based on the initial triage decision. What initially looks like a severe, high priority issue, might in fact turn out to be a feature working as intended, or its severity might be changed in the course of the internal follow up. The panel makes the decision based on the severity and impact of the internal bugs, not the priority of the reports. There’s no guarantee a P1 report will be rewarded highly. In a similar fashion, the panel might decide to award a substantial reward for a P4 report.

Q: When should I ask about status update?

A: New reports (Status: New) should take up to a few days for us to triage (urgent reports get looked at immediately, but you won't see that in Issue Tracker). After the triage (Status: Assigned), depending on the priority, it may take up to two weeks to process the report. After a product bug is filed (Status: Accepted), the panel should make a decision within 2-3 weeks. Feel free to ask us about status updates if these timelines are not met.

Q: How long does it take to get a response?

A: We get around 200 reports every week. The response time depends on the report priority and the current load. For low priority reports in a busy period, it may take us a couple of weeks to respond.

Q: Do you send out swag as a reward for individual bugs?

A: Swag is available for special occasions, but we don't generally hand out swag as a reward for individual bugs. Keep being awesome and chances are high you will get swag from us sooner or later :).

Q: Do you see my responses on the report?

A: Yes, we see all of them (unless we inform you otherwise). Please don't file a separate report to ask questions or discuss the resolution of other reports. Just respond to the original report bug – we'll pick this up in due time.

Q: What does the status X mean? What should I do?

A: The following table should help:

Status	Meaning	What should I do?
New	A new incoming vulnerability report.	If you have additional information, add it to the bug. Please make sure the security impact is included in the description, and that there are clear reproduction steps.
Assigned	The report has been triaged. A security engineer is looking into the issue. They will determine if it’s a security bug, and if so, reproduce it and assess the security impact. Depending on the priority and the load, an issue may be in this state for a couple of weeks.	If you have additional information, add it to the bug. Answer any follow-up questions we might have. Don’t ask for status updates unless the issue is urgent.
Accepted	A security engineer decided to contact the product team and file a bug for the report. The issue will be voted on by the panel – you will receive a confirmation when the panel has made a decision (it usually takes 2-3 weeks). It’s still possible that the panel will determine that: The report is out of scope for Google VRP. The issue is working as intended. The issue is a duplicate. The product bug is not fixed, or the security team has not verified the fix yet.	If you have additional information, add it to the bug. Answer any follow-up questions we might have. Don’t ask for status updates unless 3 weeks have passed and the panel has not made a decision yet.
Won't fix	The security team determined that the issue does not warrant tracking it as a separate security bug. There might be several reasons for that: It’s not a bug, the product is working as intended. The security impact is too small, and we decided to accept the risk. The issue is already being worked on – it was found internally, or reported to us before. We have provided an explanation as to why the report was closed. Despite the bug being closed, we still see and will respond to all of your updates on the bug.	Carefully read the explanation on why we closed the bug, including the linked articles. If you feel we have made a mistake, update the bug. We will consider your explanation and reply. Don't file a separate report to discuss the same issue.
Duplicate	This is a rarely used status, usually used when one person reports multiple reports about the same issue. In cases where someone else has reported the issue to us before, we'll use the *Won’t fix* status instead.	N/A
Fixed	A security engineer has verified the fix to the issue.	Feel free to verify the bug fix, and let us know if there’s still a problem.