Dear Google: the annual $15k-$75k pentest fee to use your API is killing us

5 points

6 years ago

For those who don't know: if your app uses Gmail API, you must pay for an annual security checkup that can cost anything from $15k-$75k. Each year, no matter how big or small your company is.

More info here: https://support.google.com/cloud/answer/9110914?hl=en https://www.gmass.co/blog/google-oauth-verification-security-assessment/

Let's be clear: the security of our customers, who gave us access to their emails via API, is extremely important. We believe in this tremendously. We must not take any action that would compromise it.

Having said that, we request to bring some balance to this decision. The security checkup includes three buckets: policies, infrastructure, and pen-testing. Since the last checkup, 11 months ago, we did not change anything in the policies. Nothing changed in the infrastructure. And virtually nothing changed in the code base. As such, it does not make sense to incur the same high cost every year on something that has already been very thoroughly tested. This is painful because 1) nothing changed, and 2) the cost is really high and detrimental.

Some suggestions: 1) Increase the checkup period to be every two years instead of every year, and/or 2) Subsequent checkups should be smaller in scope. For example, no need to review policies or infrastructure. Pen-testing can also be limited to in scope.

We love the spirit of this decision and the high-bar Google is holding to protect our and their users. We want to maintain that while being balanced not to punish those who choose to build on top of their platforms.

Ideally this would have been an email to the owner of Google Gmail API product, but there is no such channel.