Google recruits digital bounty hunters

Google is significantly expanding its vulnerability reward program to include multiple web properties.

Initially limited to the company’s Chromium open source project, the bug bounty hunting program now applies to a number of Google web sites, including YouTube, Blogger, Orkut and, of course,

However, various client applications, such as Android, Picasa and GDesktop, are not part of the new initiative.

So, how much is Google willing to pay its talented bounty hunters?

Well, the base reward for qualifying bugs is currently set at a cool $500. 

Nevertheless, if the reward panel determines that a particular bug is severe or unusually clever, cash payments could theoretically be increased to a sweet $3,133.

Of course, the panel may also decide that a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.

OK, but what class of bugs is Google prepared to accept? 

Obviously, it’s rather difficult for the Internet search giant to provide a definitive list of vulnerabilities that will be rewarded.

Still, any serious bug which directly affects the confidentiality or integrity of user data may very well be a likely candidate. 

As such, Google anticipates that most rewards will be attributed to bugs discovered in the following categories:

  • XSS.
  • XSRF / CSRF.
  • XSSI (cross-site script inclusion).
  • Bypassing authorization controls (e.g. User A can access User B’s private data).
  • Server side code execution or command injection.

Excluded bugs include:

  • Attacks against Google’s corporate infrastructure.
  • Social engineering and physical attacks.
  • Denial of service bugs.
  • Non-web application vulnerabilities, including vulnerabilities in client.
  • Applications.
  • SEO blackhat techniques.
  • Vulnerabilities in Google-branded websites hosted by third parties.

Google bug reports can be reported here.

Happy hunting! Oh, and don’t drop your blaster!