Google offers bounty to Web bug hunters

Google will pay up to $3,133.70 for reports of bugs in its websites

Following up on a successful bug bounty program that pays hackers for finding security flaws in its Chrome browser, Google now says that it will pay cash for security bugs reported on its websites.

Google calls the program "experimental," but says it gives security researchers new incentives to report Web flaws directly to Google's security team. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer," Google said Monday in a blog posting announcing the program.

The idea is to give Google a chance to fix the vulnerabilities before the bad guys get their hands on them. So, in order to qualify, security researchers must privately disclose new flaws to Google first before they go public with their research. In return, the hackers qualify for cash rewards of between $US500 and $3,133.70, depending on the severity of the flaw.

Google has already paid out about 50 such rewards for Chrome bugs since launching a similar program last January. Google doesn't pay out for bugs in all of its products, however. There are no bounties for finding flaws in Android, Picasa or Google Desktop, for example.

With the Web program, Google is breaking new ground.

Web-based hacking involves experimenting with Google's own servers, rather than software that is downloaded to the researcher's computer. So people who do this work run the risk of breaking the law or possibly even disrupting Google's services while conducting their research.

To prevent those kinds of things from happening, Google offers a few guidelines about what's OK and what's not under the program. The company won't pay for denial of service bugs -- which would simply crash Google's Web properties -- or for bugs in the company's corporate infrastructure.

Also out are search engine optimization tricks, bugs in Google-branded sites that are actually hosted by someone else and flaws in sites that were only recently purchased by Google.

And Google says that participants shouldn't use automated tools to search for flaws. "Please, only ever target your own account or a test account," Google said in its blog post. "Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the PC World newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesGooglesecurityinternet

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?