Google offers bounty for security bugs on its websites

Google has begun offering cash for security bugs reported on its websites, following the success of its bug bounty program that pays hackers for finding security flaws in Chrome. The new vulnerability reward program applies to Google web properties (google.com, youtube.com, blogger.com, and orkut.com) but excludes Google's client applications (Android, Picasa, Google Desktop, and so on).

The goal is to give Google a chance to fix the vulnerabilities before hackers can exploit them. As a result, security researchers must privately disclose new flaws to Google first, in order to qualify. In return, Google will give cash rewards between $500 and $3,133.70, depending on the severity of the flaw. Google has made 50 such payouts for Chrome bugs since launching a similar program in late January 2010. If you don't want the money, there's an option to donate it to a charity with a matching donation from Google.

Since the methods used to find these bugs may involve hacking Google's own servers, and there's a risk of breaking the law or disrupting Google's services, the company offers a few guidelines for the program. For example, the company won't pay for denial of service bugs or bugs in the company's corporate infrastructure. Furthermore, the search giant advises to only use your own account or a test account, never attempt to access anyone else's data, and not to engage in activity that bombards Google services with a large number of requests or data (automated testing tools are also disqualified).

The program is still experimental, but Google clearly says it wants to give security researchers new incentives to report Web flaws directly to the company's security team. "We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page," the company said in a statement. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer."