November 1, 2010

Google on Monday said it was expanding a program to pay security researchers who discreetly report software flaws in the company’s products. The move appears aimed at engendering goodwill within the hacker community while encouraging more researchers to keep their findings private until the holes can be fixed.

Earlier this year, Google launched a program to reward researchers who directly report any security holes found in the company’s Chrome open-source browser project. With its announcement today, Google is broadening the program to include bugs reported for its Web properties, including Gmail, YouTube, Blogger and others (the company says its desktop apps — Android, Picasa and Google Desktop, etc.  are not included in the expanded bounty program).

The program is unlikely to attract those who are looking to get rich selling security vulnerabilities, as there are several less reputable places online where critical bugs in important online applications can fetch far higher prices. But the expanded bounty may just win over researchers who might otherwise post their research online, effectively alerting Google to the problem at the same time as the cyber criminal community.

“We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page,” Google’s security team wrote on the company’s security blog. “As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”

The standard reward for bugs will continue to be public recognition and $500, although the search giant said bugs that are particularly severe or clever could earn rewards of up to $3,133.7 (this is leet speek for “elite”).

Google said it won’t pay for bugs that involve overtly malicious attacks, such as social engineering and physical attacks or so-called “black hat search engine optimization” techniques —  and that it wouldn’t count less serious flaws such as denial-of-service bugs, or flaws in technologies recently acquired by Google.

Other companies have established bug bounty programs. For example, Mozilla, the organization behind the Firefox Web browser, for years paid researchers $500 for bugs, but recently upped the amount to $3,000.

Charlie Miller, a security researcher who has reported a large number of bugs in a variety of applications and programs, was initially critical of such a tiny bounty from one of the world’s wealthiest and most powerful businesses. But reached via e-mail Monday evening, Miller said that while he’d always like to see more money being paid to bug researchers, the relatively few companies that offer bug bounties also deserve recognition.

“With so many companies (MS, Adobe, Apple, Oracle) not paying anything, I’m very happy to see any money going out for these types of programs,” Miller wrote. “It motivates and rewards researchers.  The security of the products (or websites) that the average person uses goes up.  Also, it provides vendors with a level of control they otherwise lack.  If a researcher reports a bug and then decides they think the process is not working well, they’ll think twice about dropping it on full disclosure if they know they’ll lose their finder’s fee.”


10 thoughts on “Google Extends Security Bug Bounty to Gmail, YouTube, Blogger

  1. Louis Leahy

    Now I am never the first one to get a comment in! Knowing how savy your readership is, mabybe they have all shot off to earn some bounties. Perhaps the reward has been set so low because of an expected deluge.

  2. Joao

    I wonder how is Google going to distinguish between real attacks and people just poking around trying to find bugs.

    1. Mark Van Halden

      if bug exploited and reported = do not sue
      if bug exploited and not reported = sue

      I don’t know man…

    2. Russ

      That’s not an important distinction. Even “white hat” people poking around could accidentally cause issues. Google will try to protect against everything & anything. Part of a successful exploit will be demonstrating how to bypass existing protections. That’s why they bounty these things, I suppose. If someone does find a weakness there is incentive for them to disclose it to Google, possibly preventing the next Gumblar or its ilk from affecting Google’s services.

      1. Russ

        peple = people

        Argh, that’s going to haunt me all day as I scroll these comments…

      2. JS

        I’d rather earn $2.56 from Knuth…
        http://en.wikipedia.org/wiki/Knuth_reward_check

        Probably harder to find an error in his books than in Google’s code.

        Having a check from Knuth… the street cred is awesome. Having a check from Google is meh.. for 15 minutes of fame.

        However I’d like to see Google have the intent in their program .10% as much as Knuth’s magnanimity.

        Knuth adds in interest when he doesn’t respond immediately…

    3. Helly

      Google’s blog mentions a few ways they help distinguish between researchers and real attackers. Two that jumped out at me were researchers are only allowed to attack their own accounts. And no automated tools can be used.

      As an individual, trying single XSS and CSRF variations in my own account it is probably not worth google’s time to investigate each occurence. If I were malicious and discovered a vulnerability this way, as soon as it becomes widely exploited Google can respond as usual. I would bet if you started using automated software to discover vulns you would quickly attract their attention. Otherwise I expect is an acceptable risk to allow low volume attempts at exploiting their application, given the security benefits.

Comments are closed.