Google, the Internet's dominant search engine, has initiated an experimental incentive program to encourage everyone to help it find the security vulnerabilities of its Web properties that display or manage highly sensitive authenticated user data. According to a post on the Google Online Security Blog, Google is inviting outsiders to find "any serious bug which directly affects the confidentiality or integrity of user data" of sites such as Google.com, YouTube.com, and Blogger.com. Those who find bugs or other vulnerabilities will be awarded prize money for their work.
This is an expansion of an effort earlier this year in which Google initiated the Chromium Open Source Project to discover bugs and vulnerabilities in its Chromium Web browser. A wide range of bugs were reported and rewards from $500 to more than $1,300 went to dozens of individuals. Winners were also honored by inclusion in an online Hall of Fame. These researchers' "combined efforts are contributing to a more secure Chromium browser for millions of users," writes the Google Security Team.
As with the Chromium Project, the base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be "severe or unusually clever," the team states, rewards of up to about $3,000 may be issued.
Google's client applications, such as Android, Picasa, and Google Desktop, are not currently included in this reward scheme, but may be included at a later time. The team anticipates that most rewards will be in bug categories such as XSS, XSRF/CSRF, XSSI (cross-site script inclusion), bypassing authorization controls, and Server side code execution or command injection.
The team also noted that the rewards program is not open to minors or "individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan, and Syria) on sanctions lists."
Photo Credit: Photo by Marieke Kuijjer/flickr/creative commons license.