Google offers cash for finding Web security holes

The Net giant will pay between $500 and $3,133.70 to anyone who finds vulnerabilities on its Web sites.

Taking a page from the Chrome playbook, Google has launched a program to encourage outsiders to find security vulnerabilities in its Web properties.

Under the Chrome vulnerability-finding bounty program , the company already has been paying varying sums to those who locate holes in the browser. Also part of the package has been mention on the Chromium security hall of fame and a public thank-you to those providing Google with sustained security help.

The duplication of the initial program is geared to uncover "any serious bug which directly affects the confidentiality or integrity of user data," members of Google's security team said in a blog post yesterday. Payments are commensurate with the seriousness of the vulnerability and include $500, $1,000, $1,337, and $3,133.70 (that's "leet" and "eleet" for the leetspeak-impaired).

"We are announcing an experimental new vulnerability reward program that applies to Google Web properties," the security team said. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer."

The new program rewards those who find issues such as cross-site scripting vulnerabilities in Google properties including YouTube, Orkut, Blogger, Google Docs, and Gmail. It doesn't include software that runs on local computing devices such as Android, Picasa, and Sketchup, Google said, though it may expand the program in that direction later.

There are exclusions. Some types of problems, such as denial-of-service attacks and social engineering, aren't eligible for rewards. And bug finders in Cuba, Iran, North Korea, Sudan, and Syria aren't eligible for legal reasons.

About the author

Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, Web development, digital photography and new technology. In the past he has been CNET's beat reporter for Google, Yahoo, Linux, open-source software, servers and supercomputers. He has a soft spot in his heart for standards groups and I/O interfaces.


Discuss Google offers cash for finding Web security holes

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Home Basics 101

Know how to pick light bulbs?

From how much they cost to what kind of bulbs you'll need, here’s everything you should know.