Google extends bug bounties to YouTube, other sites

Share this article:

Find a vulnerability on one of Google's most popular web applications, and you may get paid.

The internet giant on Monday announced plans to extend its existing Chrome browser bounty program to cover "web properties which display or manage highly sensitive authenticated users data or accounts," such as Google, YouTube, Blogger and Orkut, Google's security team said in a blog post. The company's client applications, such as Android, Picasa and Desktop, are as of now not covered under the program.

Researchers are encouraged to look for bugs that affect the "confidentiality or integrity" of user information, such as cross-site scripting, cross-site request forgery and authorization bypass vulnerabilities, the post said.

"Please, only ever target your own account or a test account," the security team wrote. "Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data."

The base prize is $500, but each find could be worth up to $3,133.70, depending on the severity of the flaw. Google may match the reward if winners want to donate it to charity. To qualify, disclosures must be privately reported to Google, but researchers are encouraged to post details of their discovery after Google has fixed the issue.

Google is a leading industry proponent of bug disclosures that benefit both the finder and the vulnerable vendor. In July, the company said software makers should fix "critical" vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit.

"Accordingly, we believe that responsible disclosure is a two-way street," Google researchers and engineers wrote at the time. "Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software."

In January, Google launched an incentive program that encourages researchers to report bugs they find in Chromium, the open-source framework on which the Chrome web browser is based. Several months after, Google raised the maximum reward for a "particularly severe" vulnerability to $3,133.70, up from $1,337.

Some vendors, such as Mozilla, offer similar bounties. Others, like Microsoft, do not.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.