Google is expanding its bug disclosure reward program to cover YouTube, Orkut and its other Web apps.
Google is extending its vulnerability reward program to cover its Web properties, including YouTube and Orkut.
The program will pay researchers a maximum of $3,133.70 for finding
bugs in Google's Web applications and reporting them directly to the
company. Google announced the
program Nov. 1, building upon a program it started earlier this year
to reward the security community for coming forward with vulnerabilities in Google Chrome.
"We already enjoy working with an array of researchers to improve
Google security, and some individuals who have provided high caliber
reports are listed on our credits page," according to a post on
Google's Security blog. "As well as enabling us to thank regular contributors in a new way
, we hope our new program will attract new researchers and the types of reports that help make our users safer."
The base reward for qualifying bugs is $500. For now, Google's
client applications, such as Android and Google Desktop, are not in the
scope of the program, though it may be expanded in the future, Google
The company is asking researchers to refrain from using automated
testing tools. Additionally, attacks against Google's corporate
infrastructure, denial-of-service bugs and vulnerabilities in recently
acquired technologies are excluded from the program. Also excluded
are social engineering and physical attacks, black hat search engine
optimization techniques and vulnerabilities in Google-branded websites hosted by third parties.
"Please, only ever target your own account or a test account,"
Google said. "Never attempt to access anyone else's data. Do not engage
in any activity that bombards Google services with large numbers of
requests or large volumes of data."
handling vulnerabilities responsibly is a two-way street," the security
team added. "It's our job to fix serious bugs within a reasonable time
frame, and we in turn request advance, private notice of any issues
that are uncovered. Vulnerabilities that are disclosed to any party
other than Google, except for the purposes of resolving the
vulnerability (for example, an issue affecting multiple vendors), will
usually not qualify."
More details on reporting vulnerabilities can be found here