A year and a half ago, Google’s security team launched a Vulnerability Reward Program for all of its web properties and it’s now ratcheting up the program, offering up to $20,000 to anyone who can eradicate some particularly nasty bugs.
“We decided to take this step to invite cutting-edge external research that would help us keep our users safe,” said a Google statement.
The program encompasses any Google-operated web service that handles reasonably sensitive user data, including virtually all the content within the Google.com, YouTube.com, Blogger.com and Orkut.com domains.
Not included are any new Google properties within the first 6 months after the acquisition, or any Google client applications, such as Android, Sketchup, Picasa, or Google Desktop.
While Google notes that “it is difficult to provide a definitive list of bugs that will qualify for a reward, any bug that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program.” These include cross-site scripting, cross-site request forgery, cross-site script inclusion, flaws in authentication and authorization mechanisms, and server-side code execution or command injection bugs.
The program “definitely excludes reports of attacks against Google corporate infrastructure, social engineering and attacks on physical facilities, brute-force denial of service bugs, SEO techniques, vulnerabilities in non-web applications, or vulnerabilities in Google-branded services operated by third parties.”