Google: No Cash for Trash Vulnerabilities

It’s bound to happen: you create a cool, forward looking incentive program designed to tap the “wisdom of the crowd” and help make your products better, only to find out that, in fact, the “crowd” isn’t all that wise – and now wants you to pay cold, hard cash for their tepid ideas.

It’s bound to happen: you create a cool, forward looking incentive program designed to tap the “wisdom of the crowd” and help make your products better, only to find out that, in fact, the “crowd” isn’t all that wise – and now wants you to pay cold, hard cash for their tepid ideas.

That’s the experience that Google appears to have had since announcing that it would extend its bounty program for bugs from its Chromium platform to the various Web applications that the company owns in early November. In an updated blog post this week, the company said that it has already committed to some $20,000 in bounties, but also provided some “clarification” to the terms of the reward program, saying that – in essence – not all bugs are equal and that researchers dumping low priority vulns shouldn’t expect to get much in return.

In an avuncular update post on Thursday that tries really, really hard to be encouraging Google said that, while it has received some outstanding contributions to the Web application bug bounty program since announcing it on November 1, the company has also, reluctantly, agreed to pay for some so-so work.

“The review committee has been somewhat generous this first week,” wrote Google’s Security Team in a blog post. “We’ve granted a number of awards for bugs of low severity, or that wouldn’t normally fall under the conditions we originally described.”

Going forward, the Security Team, “in the spirit of transparency,” has put together a list of the types of things that aren’t reward-worthy vulnerabilities.That list includes:

  • Vulnerabilities in services (like Google Store) that aren’t managed by Google.
  • Vulnerabilities in Web applications from recent acquisitions – Google says its already combing over the code of these applications anyway and, besides, not all of them will be continued. Vulnerabiltities in applications from acquisitions that aren’t at least six months old won’t be considered in all but exceptional circumstances.
  • URL redirection – it’s a staple of the Web and of Web based attacks. But is it a security vulnerability? Google isn’t so sure, and doesn’t plan on shelling out cash for redirection flaws. To quote: “the panel believes that any user who could be misled by a URL redirector can also be tricked without relying on any particular trusted website to act as a relying party; eliminating URL redirectors will not change this outlook appreciably.”
  • Cross site scripting holes in Google sandbox domains – when is a cross site scripting vulnerability not a vulnerability? When it happens in sandboxed domains like googleusercontent.com and gmodules.com. Google says it won’t pay for cross site scripting  attacks on content in these domains not to qualify, unless it can be proven to impact the functionality of other Google products.

Suggested articles