Feeds

Google calls bug bounty hunters to YouTube, Blogger

'1337' cash for web flaws

SANS - Survey on application security programs

Google has unveiled a pilot program designed to make Blogger, YouTube and other company-run websites more secure by paying significant bounties to researchers who report bugs that threaten users.

The initiative expands on a previous bounty program that rewarded researchers only for bug reports in Chromium, the guts of Google's open-source Chrome browser. Effective immediately, rewards of as much as $3,133.70 (as in “leet,” or elite get it?) are available to people who report serious web-application flaws in Google properties such as its main site, YouTube or Blogger. Client apps such as Android, Picasa or Google desktop aren't eligible.

“Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties,” the company said on Monday. “We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page. As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”

The bounties will be awarded when researchers privately report cross-site scripting (XSS), cross-site request forgery (XSRF), authentication bypasses and other types of web application vulnerabilities that might compromise the confidentiality or integrity of user data. The premium $3,133.7 reward will be paid in cases where the reported bug is especially severe or clever. Reports of less sophisticated bugs will fetch $500.

Members of Google's security team, including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski, will determine which bugs are eligible.

Google's blog post announcing the new program makes clear that proofs of concept should attack only accounts controlled by the researcher. Attacks against Google's corporate infrastructure, denial-of-service attacks and social-engineering and physical attacks are strictly forbidden. Google has also asked participants to refrain from using automated testing tools.

The rewards are also unavailable to those who publicly report the vulnerability before it is fixed, though researchers are free to toot their own horn once it has been patched.

While some companies – including Microsoft – have made it clear they won't retaliate against researchers who privately report bugs in their sites, Google is the only site we're aware of that's offering cash rewards to do so. Some researchers have long grumbled that they should receive compensation for the reports that benefit users of websites and software. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.