Ask HN: Has Google made you pay $15,000 to $75,000 for a security review? Has anyone gone through Google's OAuth verification process for restricted scopes recently? They give you a choice of just two very expensive companies for security reviews. |
Ask HN: Has Google made you pay $15,000 to $75,000 for a security review? Has anyone gone through Google's OAuth verification process for restricted scopes recently? They give you a choice of just two very expensive companies for security reviews. |
This process was a huge surprise for us. We are a bootstrapped startup that spent a significant amount of time building the Gmail integration last year before this was announced. We are launching shortly and have had to remove the entire integration. We have no idea how much it is going to cost or if we will be approved.
We are launching a product in a mature market with lots of competitors (hence the long initial development time), one of those being Google. According to Wikipedia, Gmail has 1.4 billion customers. I don't understand how this got past their lawyers - 1) monopoly in e-mail space, 2) create other products tightly integrated, 3) charge a $15k - $75k fee to any new competitors in your space.
Context: I work in this space and actively work on programs such as these.
Obviously we're a competing firm to those, so bias warning :), but I think it's a sound principal that would help the market.
However, whenever a user actually tries to sign up, it says that the app is not verified. So I can't submit anything for review, because everything has been reviewed and approved, but it still doesn't work.
It's pricey, especially for small firms. However, most companies don't know what their security posture is - this is all part of managing risk.
They've only approved two vendors, blargh. More will come in time. Be patient, or raise money.
A pen test mitigates that risk.
https://developers.google.com/terms/api-services-user-data-p...
https://cloud.google.com/blog/products/g-suite/elevating-use...
[1] https://developers.google.com/gsuite/marketplace/security-as...
From your previous statement, it seems your product is tightly integrated with gmail. That suggest you're actually relying on Google to be your infrastructure provider. If that's the case then claiming the fee is "to compete with them" is not the most accurate or honest description.