Want CNET to notify you of price drops and the latest stories?

Google offers cash for finding Web security holes

The Net giant will pay between $500 and $3,133.70 to anyone who finds vulnerabilities on its Web sites.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
2 min read

Taking a page from the Chrome playbook, Google has launched a program to encourage outsiders to find security vulnerabilities in its Web properties.

Under the Chrome vulnerability-finding bounty program, the company already has been paying varying sums to those who locate holes in the browser. Also part of the package has been mention on the Chromium security hall of fame and a public thank-you to those providing Google with sustained security help.

The duplication of the initial program is geared to uncover "any serious bug which directly affects the confidentiality or integrity of user data," members of Google's security team said in a blog post yesterday. Payments are commensurate with the seriousness of the vulnerability and include $500, $1,000, $1,337, and $3,133.70 (that's "leet" and "eleet" for the leetspeak-impaired).

"We are announcing an experimental new vulnerability reward program that applies to Google Web properties," the security team said. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer."

The new program rewards those who find issues such as cross-site scripting vulnerabilities in Google properties including YouTube, Orkut, Blogger, Google Docs, and Gmail. It doesn't include software that runs on local computing devices such as Android, Picasa, and Sketchup, Google said, though it may expand the program in that direction later.

There are exclusions. Some types of problems, such as denial-of-service attacks and social engineering, aren't eligible for rewards. And bug finders in Cuba, Iran, North Korea, Sudan, and Syria aren't eligible for legal reasons.