Find a vulnerability on one of Google’s most popular web applications, and you may get paid.
The internet giant on Monday announced plans to extend its existing Chrome browser bounty program to cover “web properties which display or manage highly sensitive authenticated users data or accounts,” such as Google, YouTube, Blogger and Orkut, Google’s security team said in a blog post. The company’s client applications, such as Android, Picasa and Desktop, are as of now not covered under the program.
Researchers are encouraged to look for bugs that affect the “confidentiality or integrity” of user information, such as cross-site scripting, cross-site request forgery and authorization bypass vulnerabilities, the post said.
“Please, only ever target your own account or a test account,” the security team wrote. “Never attempt to access anyone else’s data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.”
The base prize is $500, but each find could be worth up to $3,133.70, depending on the severity of the flaw. Google may match the reward if winners want to donate it to charity. To qualify, disclosures must be privately reported to Google, but researchers are encouraged to post details of their discovery after Google has fixed the issue.
Google is a leading industry proponent of bug disclosures that benefit both the finder and the vulnerable vendor. In July, the company said software makers should fix “critical” vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit.
“Accordingly, we believe that responsible disclosure is a two-way street,” Google researchers and engineers wrote at the time. “Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software.”
In January, Google launched an incentive program that encourages researchers to report bugs they find in Chromium, the open-source framework on which the Chrome web browser is based. Several months after, Google raised the maximum reward for a “particularly severe” vulnerability to $3,133.70, up from $1,337.
Some vendors, such as Mozilla, offer similar bounties. Others, like Microsoft, do not.