Put Google in this second category. Monday, the search giant announced on his security blog that it is expanding its “bug bounty” program, a rewards system that offers payouts of up to $ 3,1337 to anyone who can demonstrate a serious security breach in its software. Instead of focusing only on Chromium, the open source code behind its Chrome browser, those bounties now also apply to bugs in the company’s web applications.
Any hacker who finds an exploitable bug on a Google site that hosts “highly sensitive authenticated user data or accounts” – domains like Gmail, YouTube, Blogger, or any other Google service – can notify Google of the problem privately and win anywhere from $ 500 to $ 3,1337 for particularly clever finds. (This 1337 means “leet,” semi-ironic hacker lingo for an “elite” practitioner of digital dark arts.) If a researcher prefers to donate their bug bounty to charity, Google offers to match.
In addition to inspiring independent researchers to help remove vulnerabilities in Google’s code, the program can also help keep these bugs private before they’re fixed. Google’s rewards come with restrictions on how the researcher can publicize their discovery. “We believe that responsible vulnerability management is a two-way street,” writes the Google security team. “It is our job to fix serious bugs within a reasonable time, and we in turn request prior and private notification of any issues that are discovered.”
Google is far from the only bug buyer in the market: the creator of Firefox Mozilla, Verisign’s iDefense, and HP’s Zero Day Initiative all offer bounties for vulnerabilities. (Last month, a twelve-year-old won $ 3,000 by exposing a bug in Firefox.) But these companies pay for bugs in traditional desktop apps, not web apps. Google’s program does not apply to its client programs like Picasa or Android, but opens the door to bounties for common web bugs like cross-site scripting and cross-site request tampering, weak points according to security companies focused on. the Web as White Hat Security. exist in more than 80% of sites.
You can read the full terms of Google’s bounty offer here. And good hunting.