Members
Stats
  • Total Posts: 28514
  • Total Topics: 8240
  • Online Today: 852
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Report bugs on Google's websites: YouTube, Blogger... and earn $3,133.70  (Read 1523 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Google has unveiled a pilot program designed to make Blogger, YouTube and other company-run websites more secure by paying significant bounties to researchers who report bugs that threaten users.

The initiative expands on a previous bounty program that rewarded researchers only for bug reports in Chromium, the guts of Google's open-source Chrome browser. Effective immediately, rewards of as much as $3,133.70 (as in “leet,” or elite get it?) are available to people who report serious web-application flaws in Google properties such as its main site, YouTube or Blogger. Client apps such as Android, Picasa or Google desktop aren't eligible.

“Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties,” the company said on Monday. “We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page: http://www.google.com/corporate/security.html
As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”

The bounties will be awarded when researchers privately report cross-site scripting (XSS), cross-site request forgery (XSRF), authentication bypasses and other types of web application vulnerabilities that might compromise the confidentiality or integrity of user data. The premium $3,133.7 reward will be paid in cases where the reported bug is especially severe or clever. Reports of less sophisticated bugs will fetch $500.

Members of Google's security team, including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski, will determine which bugs are eligible.

Google's blog post announcing the new program makes clear that proofs of concept should attack only accounts controlled by the researcher: http://googleonlinesecurity.blogspot.com/2010/11/rewarding-web-application-security.html
Attacks against Google's corporate infrastructure, denial-of-service attacks and social-engineering and physical attacks are strictly forbidden. Google has also asked participants to refrain from using automated testing tools.

The rewards are also unavailable to those who publicly report the vulnerability before it is fixed, though researchers are free to toot their own horn once it has been patched.

While some companies – including Microsoft – have made it clear they won't retaliate against researchers who privately report bugs in their sites, Google is the only site we're aware of that's offering cash rewards to do so. Some researchers have long grumbled that they should receive compensation for the reports that benefit users of websites and software.

(ElReg)

Samker's Computer Forum - SCforum.info





 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising