November 01, 2010

Google extends bug bounties to YouTube, other sites

Find a vulnerability on one of Google's most popular web applications, and you may get paid.

The internet giant on Monday announced plans to extend its existing Chrome browser bounty program to cover "web properties which display or manage highly sensitive authenticated users data or accounts," such as Google, YouTube, Blogger and Orkut, Google's security team said in a blog post. The company's client applications, such as Android, Picasa and Desktop, are as of now not covered under the program.

Researchers are encouraged to look for bugs that affect the "confidentiality or integrity" of user information, such as cross-site scripting, cross-site request forgery and authorization bypass vulnerabilities, the post said.

"Please, only ever target your own account or a test account," the security team wrote. "Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data."

The base prize is $500, but each find could be worth up to $3,133.70, depending on the severity of the flaw. Google may match the reward if winners want to donate it to charity. To qualify, disclosures must be privately reported to Google, but researchers are encouraged to post details of their discovery after Google has fixed the issue.

Google is a leading industry proponent of bug disclosures that benefit both the finder and the vulnerable vendor. In July, the company said software makers should fix "critical" vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit.

"Accordingly, we believe that responsible disclosure is a two-way street," Google researchers and engineers wrote at the time. "Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software."

In January, Google launched an incentive program that encourages researchers to report bugs they find in Chromium, the open-source framework on which the Chrome web browser is based. Several months after, Google raised the maximum reward for a "particularly severe" vulnerability to $3,133.70, up from $1,337.

Some vendors, such as Mozilla, offer similar bounties. Others, like Microsoft, do not.

Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.