Google offers bounty for security bugs on its websites

By on November 2, 2010, 5:05 PM
Google has begun offering cash for security bugs reported on its websites, following the success of its bug bounty program that pays hackers for finding security flaws in Chrome. The new vulnerability reward program applies to Google web properties (google.com, youtube.com, blogger.com, and orkut.com) but excludes Google's client applications (Android, Picasa, Google Desktop, and so on).

The goal is to give Google a chance to fix the vulnerabilities before hackers can exploit them. As a result, security researchers must privately disclose new flaws to Google first, in order to qualify. In return, Google will give cash rewards between $500 and $3,133.70, depending on the severity of the flaw. Google has made 50 such payouts for Chrome bugs since launching a similar program in late January 2010. If you don't want the money, there's an option to donate it to a charity with a matching donation from Google.

Since the methods used to find these bugs may involve hacking Google's own servers, and there's a risk of breaking the law or disrupting Google's services, the company offers a few guidelines for the program. For example, the company won't pay for denial of service bugs or bugs in the company's corporate infrastructure. Furthermore, the search giant advises to only use your own account or a test account, never attempt to access anyone else's data, and not to engage in activity that bombards Google services with a large number of requests or data (automated testing tools are also disqualified).

The program is still experimental, but Google clearly says it wants to give security researchers new incentives to report Web flaws directly to the company's security team. "We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page," the company said in a statement. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer."





User Comments: 20

Got something to say? Post a comment
ReMonster said:

It certainly isn't new, but it is a great approach to keep there toolset secure. It also helps to know they are actively trying to prevent issues before they occur, instead of the OLD microsoft approach of patching after exposure.

Emin3nce said:

We would like you to fix our bugs, but don't try really hard because you may actually find something? I mean, hear me out, crackers are usually 12 year old kids with a botnet who use automated scans etc to do a bulk of their work...

Generally to fight that sort of threat, shouldn't researchers do that very act?

Guest said:

Hilarious that they made the max 3,133.7.!

For those who don't "get it" - 3,133.7 = ELEET

TechFox said:

i think its an awesome idea, might make be brake out my old coding eye to check the sources and if i find nothing at least i've brushed up on the knowledge that i used to love. nothing like making money while hacking. most security is slacking for the most part. just have to think outside the box.

AnonymousSurfer AnonymousSurfer said:

I think this is a neat idea. I might have to go find some bugs...

lawfer, TechSpot Paladin, said:

Guest said:

Hilarious that they made the max 3,133.7.!

For those who don't "get it" - 3,133.7 = ELEET

But what you "don't get" is, that you found that out using the very Google.

HaMsTeYr HaMsTeYr said:

Reminds me of what mozilla did with firefox really. Still, its a good approach to helping create better, more secure software

poertner_1274 poertner_1274, secroF laicepS topShceT, said:

Since Google can afford this, I think it's brilliant. It does 2 things in my eyes. It helps them secure their domains, as well as potentially acquire new talent to use on their team should they find someone who finds multiple flaws and become a good asset to their design team.

kaonis92 said:

Let's all go on a bug-finding safari! I guess it's going to be difficult to find a bug in google's sites though!

starfreezer said:

I like the way they make people do things for them via a positive reward system. A politic I definitely prefer over the usual "We will come after you with rakes and torches" kinda approach we hear from time to time. Let's not hope someone comes along a reward people even more money if they can make Google's systems fail... hmm, I suppose that already exist... hmm, does that mean that this reward from Google doesn't matter as those who can actually make systems fail will always be in front because they get more cash!! Arrr, brain is melting...

fritz123 said:

it's smart for google in doing so. sometimes you need an outsiders perspective. it's like putting your enemies in your side. im really amazed at google. clap clap clap

TorturedChaos, TechSpot Chancellor, said:

Not a brand new approach by any means, but still a good idea. Wouldn't mind seeing more companies do this. As starfreezer said, its always nice to see people try positive reinforcement for once.

spyx said:

Count me in, first off---google buzz......

theruck said:

who are those "hackers"? do they still exist?

sMILEY4ever said:

Guest said:

Hilarious that they made the max 3,133.7.!

For those who don't "get it" - 3,133.7 = ELEET

I didn't get it but I do now. 1337 text is 1337.

Puiu Puiu said:

It would be awesome if microsoft did the same for windows or other products.

klepto12 klepto12, TechSpot Paladin, said:

i agree with puiu if the bigger companies did this it would be great its really to bad that microsoft and the such don't do this.

hitech0101 said:

Google taking a nice step but this did take a long time it seems they had discussed a lot about this move that's the thing with Google they have in depth discussions whether to go ahead or not they.Since they went with it any way they could have done it a lot earlier.

xcelofjkl said:

Can I be given a bounty for mere suggestions? Aesthetic changes? Functionality changes? He He.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.