Up to $3,133.70 for reporting security flaws in Google services
From leet to eleet – Google has extended its vulnerability reward program and issued a call to arms for attacks on its web-based applications. It has also raised the maximum award available to $3,133.70 (£1,960.90). The programme previously applied to vulnerabilities in its Chrome browser only. With rare exceptions, the maximum sum awarded was set at between $500 and $1,337.
The new programme covers all Google services running on the google.com, youtube.com, blogger.com and orkut.com domains. Particular emphasis is being placed on finding cross-site scripting (XSS), cross-site request forgery and cross-site script inclusion vulnerabilities, but security researchers are also being invited to tackle means of bypassing authentication or authorisation functions.
Google's business infrastructure, social engineering attacks, denial of service vulnerabilities and fraudulent search engine optimisation activities are explicitly excluded from the programme. In order to ensure that service availability is not affected, Google has requested researchers to avoid using automated testing tools on its servers. Android, Picasa and Google Desktop remain outside of the scope of the reward programme.
The maximum award of $3,133.70 is only available for reporting particularly smart or unusual vulnerabilities or attacks. More details on the programme can be found on Google's security blog. Google is hoping that the move will make its services more secure.