Google offers cash for finding Web security holes

Taking a page from the Chrome playbook, Google has launched a program to encourage outsiders to find security vulnerabilities in its Web properties.

Under the Chrome vulnerability-finding bounty program, the company already has been paying varying sums to those who locate holes in the browser. Also part of the package has been mention on the Chromium security hall of fame and a public thank-you to those providing Google with sustained security help.

The duplication of the initial program is geared to uncover "any serious bug which directly affects the confidentiality or integrity of user data," members of Google's security team said in a blog post yesterday. Payments are commensurate with the seriousness of the vulnerability and include $500, $1,000, $1,337, and $3,133.70 (that's "leet" and "eleet" for the leetspeak-impaired).

"We are announcing an experimental new vulnerability reward program that applies to Google Web properties," the security team said. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer."

The new program rewards those who find issues such as cross-site scripting vulnerabilities in Google properties including YouTube, Orkut, Blogger, Google Docs, and Gmail. It doesn't include software that runs on local computing devices such as Android, Picasa, and Sketchup, Google said, though it may expand the program in that direction later.

There are exclusions. Some types of problems, such as denial-of-service attacks and social engineering, aren't eligible for rewards. And bug finders in Cuba, Iran, North Korea, Sudan, and Syria aren't eligible for legal reasons.