Monday, April 23, 2012

Spurring more vulnerability research through increased rewards



We recently marked the anniversary of our Vulnerability Reward Program, possibly the first permanent program of its kind for web properties. This collaboration with the security research community has far surpassed our expectations: we have received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals. We’re confident beyond any doubt the program has made Google users safer.

Today, to celebrate the success of this effort and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs:
  • $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems. 
  • $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs. 
  • Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications. 
To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller.

Happy hunting - and if you find a security problem, please let us know!