Back in January of this year, the Chromium open source project launched a well-received vulnerability reward program. In the months since launch, researchers reporting a wide range of great bugs have received rewards — a small summary of which can be found in the Hall of Fame. They’ve seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users. Today, They are announcing an experimental new vulnerability reward program that applies to Google web properties. They already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on Their credits page. As well as enabling them to thank regular contributors in a new way, they hope their new program will attract new researchers and the types of reports that help make their users safer.
In the spirit of the original Chromium blog post, they have some information about the new program in a question and answer format below:
Q) What applications are in scope?
A) Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include:
A) Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include:
- *.google.com
- *.youtube.com
- *.blogger.com
- *.orkut.com
For now, Google’s client applications (e.g. Android, Picasa, Google Desktop, etc) are not in scope. They may expand the program in the future.
Q) What classes of bug are in scope?
A) It’s difficult to provide a definitive list of vulnerabilities that will be rewarded, however, any serious bug which directly affects the confidentiality or integrity of user data may be in scope. They anticipate most rewards will be in bug categories such as:
A) It’s difficult to provide a definitive list of vulnerabilities that will be rewarded, however, any serious bug which directly affects the confidentiality or integrity of user data may be in scope. They anticipate most rewards will be in bug categories such as:
- XSS
- XSRF / CSRF
- XSSI (cross-site script inclusion)
- Bypassing authorization controls (e.g. User A can access User B’s private data)
- Server side code execution or command injection
Out of concern for the availability of their services to all users, they ask us to refrain from using automated testing tools.
These categories of bugs are definitively excluded:
- attacks against Google’s corporate infrastructure
- social engineering and physical attacks
- denial of service bugs
- non-web application vulnerabilities, including vulnerabilities in client applications
- SEO blackhat techniques
- vulnerabilities in Google-branded websites hosted by third parties
- bugs in technologies recently acquired by Google
Q) How far should I go to demonstrate a vulnerability?
A) Please, only ever target your own account or a test account. Never attempt to access anyone else’s data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.
A) Please, only ever target your own account or a test account. Never attempt to access anyone else’s data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.
Q) I’ve found a vulnerability — how do I report it?
A) Contact details are listed here. Please only use the email address given for actual vulnerabilities in Google products. Non-security bugs and queries about problems with our account should instead be directed to the Google Help Centers.
A) Contact details are listed here. Please only use the email address given for actual vulnerabilities in Google products. Non-security bugs and queries about problems with our account should instead be directed to the Google Help Centers.
Q) What reward might I get?
A) The base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133.7 may be issued. The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.
A) The base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133.7 may be issued. The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.
Some researchers aren’t interested in the money, so they’d also like to give us the option to donate our reward to charity. If we do, they’ll match it — subject to their discretion.
Regardless of whether we’re rewarded monetarily or not, all vulnerability reporters who interact with them in a respectful, productive manner will be credited on a new vulnerability reporter page. If they file a bug internally, we’ll be credited.
Superstar performers will continue to be acknowledged under the “We Thank You” section of this page.
Q) How do I find out if my bug qualified for a reward?
A) We will receive a comment to this effect in an emailed response from the Google Security Team.
A) We will receive a comment to this effect in an emailed response from the Google Security Team.
Q) What if someone else also found the same bug?
A) Only the first report of a given issue that we had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
A) Only the first report of a given issue that we had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
Q) Will bugs disclosed without giving Google developers an opportunity to fix them first still qualify?
A) They believe handling vulnerabilities responsibly is a two-way street. It’s their job to fix serious bugs within a reasonable time frame, and they in turn request advance, private notice of any issues that are uncovered. Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release.
A) They believe handling vulnerabilities responsibly is a two-way street. It’s their job to fix serious bugs within a reasonable time frame, and they in turn request advance, private notice of any issues that are uncovered. Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release.
Q) Do I still qualify if I disclose the problem publicly once fixed?
A) Yes, absolutely! They encourage open collaboration. They will also make sure to credit us on their new vulnerability reporter page.
A) Yes, absolutely! They encourage open collaboration. They will also make sure to credit us on their new vulnerability reporter page.
Q) Who determines whether a given bug is eligible?
A) Several members of the Google Security Team including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski.
A) Several members of the Google Security Team including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski.
Q) Are you going to list my name on a public web page?
A) Only if you want them to. If selected as the recipient of a reward, and we accept, they will need our contact details in order to pay us. However, at our discretion, we can choose not to be listed on any credit page.
A) Only if you want them to. If selected as the recipient of a reward, and we accept, they will need our contact details in order to pay us. However, at our discretion, we can choose not to be listed on any credit page.
Q) No doubt you wanted to make some legal points?
A) Sure. They encourage broad participation. However, they are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. This program is also not open to minors. We are responsible for any tax implications depending on our country of residency and citizenship. There may be additional restrictions on our ability to enter depending upon our local law.
A) Sure. They encourage broad participation. However, they are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. This program is also not open to minors. We are responsible for any tax implications depending on our country of residency and citizenship. There may be additional restrictions on our ability to enter depending upon our local law.
This is not a competition, but rather an experimental and discretionary rewards program. We should understand that they can cancel the program at any time, and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, our testing must not violate any law, or disrupt or compromise any data that is not our own.
Cool isnt it? So guys why don't we try it?
Happy researching 
Post a Comment