We recently marked the anniversary of our Vulnerability Reward Program, possibly the first permanent program of its kind for web properties. This collaboration with the security research community has far surpassed our expectations: we have received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals. We’re confident beyond any doubt the program has made Google users safer.
Today, to celebrate the success of this effort and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs:
- $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
- $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
- Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.
Happy hunting - and if you find a security problem, please let us know!
 
Stand alone vulerabilities, aren't as in demand as custom built attacks. Eg: Stuxnet
ReplyDelete---
Andrew Wallace
Independent consultant
http://www.n3td3v.org.uk/
So, do we get a "get out of jail free" card if we start trying to hack google to find these vulnerabilities, and do we have to register somewhere so u guys know it's just us trying to win a prize and not actually attack ur sites/code, or are u encouraging us to attack your services -- no holds barred? :D
ReplyDeleteI'm a bit rusty on some of this stuff because of working on other projects, etc., and I'm wondering what kind of resources you guys are going to be providing to help us get our feet wet again? Any chance of some youtube videos and "Hack Google 101" blog enteries, or are we pretty much on our own?
Anyway, thank u very much for the new offer, guys/google, and I think I found a new "hobby." :D.
Randall Jouett
Amateur Radio: AB5NI
Would be great to explain what they are looking for in a mainstream language that non technical user can understand to make the flaw's hunt fairer to anyone. Also, Google have probably specific flaw they are looking for and rewarding $20000 will be at reach of the most perverting flaw for the most technical genius who already know programming. This reducing the amount of people who can report google's flaw to google team ;-) Cunning!
ReplyDelete@McFred
ReplyDeleteNot too sure this would ever be doable by the non-technical community. Doing something like this will require years of study, familiarity with system and various OS architectures and instruction sets, XSS, SQL Injection and the use of an interactive disassembler. I have this skillset, but I'm just not up to snuff on the latest, greatest techniques. Basically, this is Google's "call to arms" for the technically oriented that are staying in the background, and upping the reward will (hopefully) pull them out of the woodwork -- and Google knows this...
Overall, this is a great move by Google. It will stimulate the security market and also help to make their services much less vulnerable to attack, and that will translate into more folks using their products, such as Android and Chrome -- and that translates into more bucks for Google. Smart move on their behalf.
Randall Jouett
Amateur Radio: AB5NI
Unequivocally, yes. Despite the risks, vulnerability research is enormously valuable. Security is a mindset, and looking for vulnerabilities nurtures that mindset.
ReplyDeleteWhile I appreciate "the hunt", can we get a waiver in writing detailing that we can actually hack Google because we're "on a mission from God"?
ReplyDeletePat Murphy
LPT Security Consulting
Pls which email can we report the bug to. And i got a message from dis email(vulnerabilityrewards2012@gmail.com) after reporting a bug on gmail that i am rewarded with $3133. Pls hw true is it.
ReplyDeleteSo its kind of more strict I guess, the updated rules for rewards program more tougher than before..
ReplyDelete