Google offers bounty for security bugs on its websites

E

Emil

Posts: 152   +0
Staff

Google has begun offering cash for security bugs reported on its websites, following the success of its bug bounty program that pays hackers for finding security flaws in Chrome. The new vulnerability reward program applies to Google web properties (google.com, youtube.com, blogger.com, and orkut.com) but excludes Google's client applications (Android, Picasa, Google Desktop, and so on).

The goal is to give Google a chance to fix the vulnerabilities before hackers can exploit them. As a result, security researchers must privately disclose new flaws to Google first, in order to qualify. In return, Google will give cash rewards between $500 and $3,133.70, depending on the severity of the flaw. Google has made 50 such payouts for Chrome bugs since launching a similar program in late January 2010. If you don't want the money, there's an option to donate it to a charity with a matching donation from Google.

Since the methods used to find these bugs may involve hacking Google's own servers, and there's a risk of breaking the law or disrupting Google's services, the company offers a few guidelines for the program. For example, the company won't pay for denial of service bugs or bugs in the company's corporate infrastructure. Furthermore, the search giant advises to only use your own account or a test account, never attempt to access anyone else's data, and not to engage in activity that bombards Google services with a large number of requests or data (automated testing tools are also disqualified).

The program is still experimental, but Google clearly says it wants to give security researchers new incentives to report Web flaws directly to the company's security team. "We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page," the company said in a statement. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer."

Permalink to story.

https://www.techspot.com/news/40964-google-offers-bounty-for-security-bugs-on-its-websites.html

 
It certainly isn't new, but it is a great approach to keep there toolset secure. It also helps to know they are actively trying to prevent issues before they occur, instead of the OLD microsoft approach of patching after exposure.
 
We would like you to fix our bugs, but don't try really hard because you may actually find something? I mean, hear me out, crackers are usually 12 year old kids with a botnet who use automated scans etc to do a bulk of their work...

Generally to fight that sort of threat, shouldn't researchers do that very act?
 
Hilarious that they made the max 3,133.7.!

For those who don't "get it" - 3,133.7 = ELEET
 
i think its an awesome idea, might make be brake out my old coding eye to check the sources and if i find nothing at least i've brushed up on the knowledge that i used to love. nothing like making money while hacking. most security is slacking for the most part. just have to think outside the box.
 
Guest said:
Hilarious that they made the max 3,133.7.!

For those who don't "get it" - 3,133.7 = ELEET
Click to expand...

But what you "don't get" is, that you found that out using the very Google.
 
Reminds me of what mozilla did with firefox really. Still, its a good approach to helping create better, more secure software
 
Since Google can afford this, I think it's brilliant. It does 2 things in my eyes. It helps them secure their domains, as well as potentially acquire new talent to use on their team should they find someone who finds multiple flaws and become a good asset to their design team.
 
Let's all go on a bug-finding safari! I guess it's going to be difficult to find a bug in google's sites though!
 
I like the way they make people do things for them via a positive reward system. A politic I definitely prefer over the usual "We will come after you with rakes and torches" kinda approach we hear from time to time. Let's not hope someone comes along a reward people even more money if they can make Google's systems fail... hmm, I suppose that already exist... hmm, does that mean that this reward from Google doesn't matter as those who can actually make systems fail will always be in front because they get more cash!! Arrr, brain is melting...
 
it's smart for google in doing so. sometimes you need an outsiders perspective. it's like putting your enemies in your side. im really amazed at google. clap clap clap
 
Not a brand new approach by any means, but still a good idea. Wouldn't mind seeing more companies do this. As starfreezer said, its always nice to see people try positive reinforcement for once.
 
i agree with puiu if the bigger companies did this it would be great its really to bad that microsoft and the such don't do this.
 
Google taking a nice step but this did take a long time it seems they had discussed a lot about this move that's the thing with Google they have in depth discussions whether to go ahead or not they.Since they went with it any way they could have done it a lot earlier.
 
You must log in or register to reply here.

Similar threads

midian182
Google awarded $10 million in bug bounties last year, the second highest in the program's...
Replies
2
Views
146
toooooot
T
A
Sony just fixed a security hole that made the PlayStation Portal more useful
Replies
0
Views
86
Alfonso Maruccia
A
midian182
Google launches Chrome Enterprise Premium, a paid-for browser with advanced security features
Replies
7
Views
130
noXLar
noXLar

Latest posts

Back