Back in January of this year, the Chromium open source project launched a well-received vulnerability reward program. In the months since launch, researchers reporting a wide range of great bugs have received rewards — a small summary of which can be found in the Hall of Fame. We've seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.
Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties. We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page. As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.
In the spirit of the original Chromium blog post, we have some information about the new program in a question and answer format below:
Q) What applications are in scope?
A) Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include:
- *.google.com
- *.youtube.com
- *.blogger.com
- *.orkut.com
UPDATE: We also recommend reading our additional thoughts about these guidelines to help clarify what types of applications and bugs are eligible for this program.
Q) What classes of bug are in scope?
A) It's difficult to provide a definitive list of vulnerabilities that will be rewarded; however, any serious bug which directly affects the confidentiality or integrity of user data may be in scope. We anticipate most rewards will be in bug categories such as:
These categories of bugs are definitively excluded:
A) Please, only ever target your own account or a test account. Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.
Q) I've found a vulnerability — how do I report it?
A) Contact details are listed here. Please only use the email address given for actual vulnerabilities in Google products. Non-security bugs and queries about problems with your account should should instead be directed to the Google Help Centers.
Q) What reward might I get?
A) The base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133.7 may be issued. The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.
We understand that some researchers aren’t interested in the money, so we’d also like to give you the option to donate your reward to charity. If you do, we'll match it — subject to our discretion.
Regardless of whether you're rewarded monetarily or not, all vulnerability reporters who interact with us in a respectful, productive manner will be credited on a new vulnerability reporter page. If we file a bug internally, you'll be credited.
Superstar performers will continue to be acknowledged under the "We Thank You" section of this page.
Q) How do I find out if my bug qualified for a reward?
A) You will receive a comment to this effect in an emailed response from the Google Security Team.
Q) What if someone else also found the same bug?
A) Only the first report of a given issue that we had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
Q) Will bugs disclosed without giving Google developers an opportunity to fix them first still qualify?
A) We believe handling vulnerabilities responsibly is a two-way street. It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered. Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release.
Q) Do I still qualify if I disclose the problem publicly once fixed?
A) Yes, absolutely! We encourage open collaboration. We will also make sure to credit you on our new vulnerability reporter page.
Q) Who determines whether a given bug is eligible?
A) Several members of the Google Security Team including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski.
Q) Are you going to list my name on a public web page?
A) Only if you want us to. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However, at your discretion, you can choose not to be listed on any credit page.
Q) No doubt you wanted to make some legal points?
A) Sure. We encourage broad participation. However, we are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. This program is also not open to minors. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
Thank you for helping us to make Google's products more secure. We look forward to issuing our first reward in this new program.
Q) What classes of bug are in scope?
A) It's difficult to provide a definitive list of vulnerabilities that will be rewarded; however, any serious bug which directly affects the confidentiality or integrity of user data may be in scope. We anticipate most rewards will be in bug categories such as:
- XSS
- XSRF / CSRF
- XSSI (cross-site script inclusion)
- Bypassing authorization controls (e.g. User A can access User B's private data)
- Server side code execution or command injection
These categories of bugs are definitively excluded:
- attacks against Google’s corporate infrastructure
- social engineering and physical attacks
- denial of service bugs
- non-web application vulnerabilities, including vulnerabilities in client applications
- SEO blackhat techniques
- vulnerabilities in Google-branded websites hosted by third parties
- bugs in technologies recently acquired by Google
A) Please, only ever target your own account or a test account. Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.
Q) I've found a vulnerability — how do I report it?
A) Contact details are listed here. Please only use the email address given for actual vulnerabilities in Google products. Non-security bugs and queries about problems with your account should should instead be directed to the Google Help Centers.
Q) What reward might I get?
A) The base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133.7 may be issued. The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.
We understand that some researchers aren’t interested in the money, so we’d also like to give you the option to donate your reward to charity. If you do, we'll match it — subject to our discretion.
Regardless of whether you're rewarded monetarily or not, all vulnerability reporters who interact with us in a respectful, productive manner will be credited on a new vulnerability reporter page. If we file a bug internally, you'll be credited.
Superstar performers will continue to be acknowledged under the "We Thank You" section of this page.
Q) How do I find out if my bug qualified for a reward?
A) You will receive a comment to this effect in an emailed response from the Google Security Team.
Q) What if someone else also found the same bug?
A) Only the first report of a given issue that we had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
Q) Will bugs disclosed without giving Google developers an opportunity to fix them first still qualify?
A) We believe handling vulnerabilities responsibly is a two-way street. It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered. Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release.
Q) Do I still qualify if I disclose the problem publicly once fixed?
A) Yes, absolutely! We encourage open collaboration. We will also make sure to credit you on our new vulnerability reporter page.
Q) Who determines whether a given bug is eligible?
A) Several members of the Google Security Team including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski.
Q) Are you going to list my name on a public web page?
A) Only if you want us to. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However, at your discretion, you can choose not to be listed on any credit page.
Q) No doubt you wanted to make some legal points?
A) Sure. We encourage broad participation. However, we are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. This program is also not open to minors. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
Thank you for helping us to make Google's products more secure. We look forward to issuing our first reward in this new program.
This is a really good approach. It rewards people for pushing the boundaries of the software and finding issues with it. I wish the Diaspora guys had something like this in place.
ReplyDeleteExcellent effort by Google (clap clap clap)
ReplyDeleteI was just talking to someone about the recent vulns found in the android kernel from HTC being a good argument for "no more free bugs". This is great news. I look forward to them expanding the program to android.
ReplyDeleteRewards programs like this are legally interesting. I don't know if it's legally possible to participate in this program without breaking an "attempted computer intrusion" law.
ReplyDeleteI'm sure the young hackers among us will be interested in precisely what you mean by
ReplyDelete"This program is also not open to minors", in particular, what jurisdiction applies in determining the age or majority.
Mark, they probably mean the age in which a person is allowed to vote. In the U.S. this means 18.
ReplyDeleteIs there a reason for the no-minors restriction?
ReplyDeleteMaxwell, in many (most?) jurisdictions there are various legal restrictions regarding how companies interact with minors (especially when money is involved). I'm sure the intent here is to avoid the need to involve lawyers in validating the legality of giving an award in any particular case. That said, I would suggest any minor looking to claim a reward simply have a parent or other trusted adult apply on their behalf.
ReplyDelete@oscar Diaspora is software in pre-alpha state, it's open sourced, it has no current user base, no revenue stream, it's currently being supported entirely by donations it received, and there's only 4 people at the company. This model of paying for security bugs has absolutely no feasibility or relevance at this point to Diaspora.
ReplyDeleteDo, *.blogger.com is included... but is *.blogspot.com?
ReplyDeleteThere is a large section of the community who see bug hunting for money as a diss and are not interested in it and will not associate with any company offering money.
ReplyDeleteThis programme won't help your plight, but send people walking further away.
Google should not be limiting their scope to draw in good bug hunters, but this is exactly the effect offering money will have.
This is not in the best interest of security.
Andrew
Are vulnerabilities in the reCaptcha service elegible for the reward?
ReplyDeleteIf so, what is the scope in this case about what would be considered a vulnerability?
You have some "buggy links" on the Hall of Fame page:
ReplyDeleteFor most of the HOF entries, clicking on the bug number takes me to the report page. However, some of the bug numbers take me to a page promoting Google Project Hosting. I didn't check all numbers but here are the problematic ones I found: 51630, 48283, 51070. There are probably others too.
By the way, searching the HOF page or the other related linked pages, I didn't see any directions on how to contact anybody to report such issues about the web pages. That's why I'm posting it here. It would be nice to add some contact info to those pages.
This is still pathetic and ridiculous, "$3,133.7 dollars" that is it!!! a company as big as Google and only pays $3K and not just for any bugs, the "severe and unusual" are you serious?! , a severe and unusual bug would be sold somewhere else for thousands, and EAP/ZDI/iDefense pays more than $3K (if you provide accurate details for the bug) for the not severe and unusual ones.
ReplyDeleteso why again would Google bother and announce this?
@Selim: I think the Chromium Hall of Fame links are ok. You're not seeing a promotion page, but a login page. Some of the bugs are still "hidden" when they are fixed in Chromium but might still affect the products of other vendors which use the same underlying libraries.
ReplyDelete@Netdev: as clearly stated, the rewards can be donated to charity. This gives hackers who get their buzz via non-monetary means to make the world better in two different ways at once.
I don't see how would finding bugs in software would ever make the world for a better place.
ReplyDeleteThis 3K offer might be pathetic but for some minor XSS problems and other stuff it well worth it if you put into 10-20 hours work.
Anyway now that they announced it to the public and thousands of newsportals advertising it this bughunt will also exhaust. Like any other opportunities online to make money eg: elance.
Even if you find some bugs theres a good chance someone did it already and you wasted your time, google wont pay for it.
I have found a bug in Google Buzz this bug also indirectly effect Google Adsense program which results in false clicks and google TOS breach.
ReplyDeleteI do not know whether google buzz is included in this program.
I bet Apple would do the same thing.
ReplyDeletegreat.. I'll try ;)
ReplyDeleteI just passed the "Gmail Security Verification" questionnaire in Russian, and found one small mistake:
ReplyDeleteon the last step there I see Romanian "Selectaţi „Rămâneţi conectat(ă)” numai dacă vă conectaţi de pe un computer personal.", that cannot be understood by Russian. Please fix it.
Thanks
Thanks for your report, GeniU$. We have passed your comment to the appropriate team to investigate and make a correction.
ReplyDeleteGoogle Operations Team
Hi, i'm from Brazil, here the version 8.0.552.224 of Google Chrome returns many pages using orkut.com, it's very unconfortable. Thank You, and sorry for the worst english ):
ReplyDeleteHi, i send one email about google adsense bugs, its a very dangerous bug make 5 day and google dont have-me send any feedback, i just whait google fix to publish on some security blogs, sorry bad english
ReplyDeleteHey blackmind
ReplyDeleteCan you please post the ID number you received in the auto-reply? It should be in the subject header.
thanks,
Adam
Hi adam, the id is 740250882
ReplyDeleteTks
I assume the cash reward is not available to Google developers :-)
ReplyDeleteHello.
ReplyDeleteThese sites are included in the awards program ?
admob.com
googlestore.com
gizmoproject.com
gizmo5.com
picnik.com
on2.com
googleusercontent.com
opensocial.org
whatbrowser.org
googledeveloperday.com
zeitgeistminds.com
feedburner.com is on the scope of reward program?
ReplyDeleteIt's a good idea but I agree that the money reward is not worth it... most hackers would be able to see such security bugs for more money than than in other markets... plus those of us who would be willing to invest time into finding such bugs would need a bigger reward than $500 with a chance of $3k... maybe if they did $3k with a chance of $10k... we live in a world where those of us with skills value our time very much... still I'll be on the lookout for anything I can spot indirectly...
ReplyDeleteWhy do I have to have a cellphone?I've been asked for a mobile number again when I made it clear days ago I don't have a cellphone.
ReplyDeleteI was instead provided with a verification e-mail.
I can barely get the hang of the newer ones and I have trouble with using text on cellphones.
Hi.
ReplyDeleteWhat about Android platform? It's in the program or it isn't?