14 DAY TRIAL // Google has launched a new vulnerability reward program, modeled after the existent Chromium one, which promises to reward security researchers for finding vulnerabilities in many of its online services.
The reward program will cover any Google Web properties that handle "highly sensitive authenticated user data or accounts."
This covers websites like *.google.com, *.youtube.com, *.blogger.com and *.orkut.com, but excludes client applications like Android, Picasa, Google Desktop and similar ones; except Chrome, which has it's own program.
The type of vulnerabilities that qualify for rewards include cross-site scripting (XSS), cross-site request forgery (CSRF), cross-site script inclusion (XSSI), as well as bugs allowing neighborhood spying (accessing other users' private data) and server-side code execution.
This is not a definitive list and in general, any important flaw that affects the confidentiality and integrity of user data may get rewarded.
However, the company makes it clear that researchers should not use automated tools to scan for vulnerabilities and should test the flaws using their own accounts or ones specially set up for this purpose.
The rewards are similar to those offered through the Chromium bug bounty program. The base is usually $500, but if a vulnerability is "unusually clever," researchers can also receive $3,133.7 ("elite" in leet speak) for it.
The reports will be reviewed by a panel formed from members of the Google Security Team, which includes Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski.
Vulnerabilities must be reported directly to Google at [email protected] in advance of any full or partial public disclosure, except for cases when they affect multiple vendors and the researcher is entitled to notify the other parties involved.
The program does not apply to researchers in countries on sanctions lists, such as Cuba, Iran, North Korea, Sudan or Syria. In addition, the program is not available to minors.
This latest part is intriguing, considering that Mozilla, which runs a similar program, has recently awarded $3,000 to a 12-year-old for finding a critical vulnerability in Firefox.
"Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own," the company says, which is also an interesting addendum, since the legal definition of unauthorized access or data compromise might differ from country to country.