Feeds

Google calls bug bounty hunters to YouTube, Blogger

'1337' cash for web flaws

Secure remote control for conventional and virtual desktops

Google has unveiled a pilot program designed to make Blogger, YouTube and other company-run websites more secure by paying significant bounties to researchers who report bugs that threaten users.

The initiative expands on a previous bounty program that rewarded researchers only for bug reports in Chromium, the guts of Google's open-source Chrome browser. Effective immediately, rewards of as much as $3,133.70 (as in “leet,” or elite get it?) are available to people who report serious web-application flaws in Google properties such as its main site, YouTube or Blogger. Client apps such as Android, Picasa or Google desktop aren't eligible.

“Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties,” the company said on Monday. “We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page. As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”

The bounties will be awarded when researchers privately report cross-site scripting (XSS), cross-site request forgery (XSRF), authentication bypasses and other types of web application vulnerabilities that might compromise the confidentiality or integrity of user data. The premium $3,133.7 reward will be paid in cases where the reported bug is especially severe or clever. Reports of less sophisticated bugs will fetch $500.

Members of Google's security team, including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski, will determine which bugs are eligible.

Google's blog post announcing the new program makes clear that proofs of concept should attack only accounts controlled by the researcher. Attacks against Google's corporate infrastructure, denial-of-service attacks and social-engineering and physical attacks are strictly forbidden. Google has also asked participants to refrain from using automated testing tools.

The rewards are also unavailable to those who publicly report the vulnerability before it is fixed, though researchers are free to toot their own horn once it has been patched.

While some companies – including Microsoft – have made it clear they won't retaliate against researchers who privately report bugs in their sites, Google is the only site we're aware of that's offering cash rewards to do so. Some researchers have long grumbled that they should receive compensation for the reports that benefit users of websites and software. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.