Google Generous with Web Vulnerability Rewards During First Week

  Google to pay $20,000 to researchers through Web vulnerability reward program
Google plans to award over $20,000 for bug reports received from security researchers during the first week after its Web vulnerability reward program was launched.

Google plans to award over $20,000 for bug reports received from security researchers during the first week after its Web vulnerability reward program was launched.

The company is very happy with the response it got so far, even though it admits its review panel was somewhat generous and also rewarded low severity bugs that shouldn't normally qualify.

"We've received many high quality reports from across the globe. Our bug review committee has been working hard, and we’re pleased to say that so far we plan to award over $20,000 to various talented researchers," the Google Security Team announced.

Bounty winners will be added to the company's security "Hall of Fame" page and bug qualifying conditions have suffered additional changes.

Google's Web vulnerability reward program is modeled after the already existent Chromium one and awards bounties of $500 and $3,133.7 ("elite" in leet speak) for bugs found in the company's Web properties.

Services like *.google.com, *.youtube.com, *.blogger.com and *.orkut.com are covered and the accepted vulnerability types include cross-site scripting (XSS), cross-site request forgery (CSRF), cross-site script inclusion (XSSI), as well as neighborhood spying and server-side code execution.

Google has updated the program's page with additional clarifications about which bugs can't qualify for rewards.

These include flaws located in Google-branded services maintained by third parties, such as Google Store, or the ones found in websites recently acquired by the company.

Some type of issues stemming from unresolved World Wide Web design flaws are also excluded from the program. Logout cross-site request forgery or content proxying and framing are two examples.

Other bugs that don't qualify are URL redirection vulnerabilities, cross-site scripting weaknesses that involve Google's "sandbox" domains (googleusercontent.com and gmodules.com) or flaws resulting from user-supplied JavaScript on Blogger.

Even with these exclusions, the attack surface is wide enough to make this program very attractive to a lot of security researchers.

Comments

By    16 Nov 2010, 08:22 GMT