Google Expands Vulnerability Program to Web Applications

Google is expanding its bug disclosure reward program to cover YouTube, Orkut and its other Web apps.

Google is extending its vulnerability reward program to cover its Web properties, including YouTube and Orkut.

The program will pay researchers a maximum of $3,133.70 for finding bugs in Google's Web applications and reporting them directly to the company. Google announced the program Nov. 1, building upon a program it started earlier this year to reward the security community for coming forward with vulnerabilities in Google Chrome.

"We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page," according to a post on Google's Security blog. "As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer."

The base reward for qualifying bugs is $500. For now, Google's client applications, such as Android and Google Desktop, are not in the scope of the program, though it may be expanded in the future, Google said.

The company is asking researchers to refrain from using automated testing tools. Additionally, attacks against Google's corporate infrastructure, denial-of-service bugs and vulnerabilities in recently acquired technologies are excluded from the program. Also excluded are social engineering and physical attacks, black hat search engine optimization techniques and vulnerabilities in Google-branded websites hosted by third parties.

"Please, only ever target your own account or a test account," Google said. "Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data."

"We believe handling vulnerabilities responsibly is a two-way street," the security team added. "It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered. Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify."

More details on reporting vulnerabilities can be found here.