Internal audit and compliance specialists Google has a dedicated internal audit team that reviews compliance with security laws and regulations around the world. As new auditing standards are created, the internal audit team determines what controls, processes, and systems are needed to meet them. This team facilitates and supports independent audits and assessments by third parties. Collaboration with the security research community Google has long enjoyed a close relationship with the security research community, and we greatly value their help identifying vulnerabilities in G Suite and other Google products. Our Vulnerability Reward Program encourages researchers to report design and implementation issues that may—put—customer—data—at—risk,—ofering—rewards—in—the—tens—of—thousands— of dollars. In Chrome, for instance, we warn users against malware and phishing,—and—ofer—rewards—for—inding—security—bugs.— Due to our collaboration with the research community, we’ve squashed more than 700 Chrome security bugs and have rewarded more than $1.25 million — more than $2 million has been awarded across Google’s various vulnerability rewards programs. We publicly thank these individuals and list them as contributors to our products and services. Operational Security Far from being an afterthought or the focus of occasional initiatives, security is an integral part of our operations. Vulnerability management Google administrates a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration eforts,—quality—assurance—processes,—software—security—reviews—and—external— audits. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been—identiied,—it—is—logged,—prioritized—according—to—severity,—and—assigned—an— owner. The vulnerability management team tracks such issues and follows up frequently until they can verify that the issues have been remediated. Google also maintains relationships and interfaces with members of the security research community to track reported issues in Google services and open-source tools. More information about reporting security issues can be found at Google Application Security. 4