Google has placed a bounty on bugs found on its Web sites. The company is giving cash rewards to users who find and report security loopholes, Google announced in a Monday blog post.
“We are announcing an experimental new vulnerability reward program that applies to Google Web properties,” Google said. “As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”
Depending on the nature and gravity of the bug uncovered, prizes ranging from $500 to more than $3,100 will be awarded. Risks can be found on Google, YouTube, Blogger, Orkut, and other sites, and Google will double the reward for users who opt to donate their prize to charity. Google is doling out cash for various types of flaws reported, including XSS, server-side code execution, cross-site scripting, and bypass authorization errors.
This program builds on similar incentives Google started offering in January via its Chromium vulnerability reward program. Google said this program uncovered a “wide range of great bugs” and contributed to “a more secure Chromium browser for millions of users.”
“It’s difficult to provide a definitive list of vulnerabilities that will be rewarded, however, any serious bud which directly affects the confidentiality or integrity of user data may be in scope,” Google said.
Right now, Google client apps such as Android and Picasa are not a part of the program, but Google said it might be expanded.