Google is extending its nascent bug-bounty program to the Web applications that the company owns, including its flagship search service, YouTube and Blogger. The program will pay researchers rewards of up to $3133.7 for bugs that they find in Google Web services and report directly to the company.
Google announced the new bounty program Monday, about 10 months after it launched its initial reward program for vulnerabilities identified in Chromium. That program has been quite successful, drawing a lot of interest from security researchers who have identified some interesting bugs in the open-source software.
Now, Google is hoping that those same researchers will take their talents to the company’s Web properties.
“Today, we are announcing an experimental new vulnerability reward
program that applies to Google web properties. We already enjoy working
with an array of researchers to improve Google security, and some
individuals who have provided high caliber reports are listed on our credits page.
As well as enabling us to thank regular contributors in a new way, we
hope our new program will attract new researchers and the types of
reports that help make our users safer,” the company said in a blog post attributed to several of Google’s security team members, including Chris Evans, Neel Mehta and Michal Zalewski.
Google is looking for common, relatively serious bugs in Web applications, including cross-site scripting, cross-site request forgery and authentication bypass vulnerabilities. The rewards paid for bugs in Web properties will start at $500 and run up to $3133.7. for bugs that are unusually serious or clever. The rewards only apply to vulnerabilities found in Web properties that Google owns, and not to attacks against the company’s own corporate network, DoS bugs or problems in Google’s client applications, such as Android.
Google won’t reward researchers who disclose bugs before notifying Google, whether that disclosure is a full public one or a private one, say through a bug-buying program such as the Zero Day Initiative.
“We believe
handling vulnerabilities responsibly is a two-way street. It’s our job
to fix serious bugs within a reasonable time frame, and we in turn
request advance, private notice of any issues that are uncovered.
Vulnerabilities that are disclosed to any party other than Google,
except for the purposes of resolving the vulnerability (for example, an
issue affecting multiple vendors), will usually not qualify. This
includes both full public disclosure and limited private release,” the company said.
Google’s existing bug bounty program has been successful in its short life. In just one patch release in August, Google paid more than $10,000 in rewards.