Google puts bounty on bugs

Chrome project to reward security researchers is experimentally extended to internet giant's sites

Wanted: Preferably alive, reward $500

Google plans to reward security researchers who find vulnerabilities in its web sites with cash handouts of between $500 (£312) and more than $3,000.

The scheme, announced yesterday on Google’s security blog, is an extension of a similar one used to hunt bugs in Chrome, Google’s browser.

It covers the Google, YouTube, Blogger and Orkut web sites, and may be extended to applications and operating systems such as Android, the security team said in the blog.

The scheme is currently being described as experimental, reflecting Google’s near-eternal beta policy for its projects.

The standard bounty for a provable bug is $500 but rewards of up to $3,133 may be issued for vulnerabilities judged to be “severe or unusually clever”.

Google’s security team has been quite proscriptive in what type of bugs it is looking to uncover: essentially access authorisation vulnerabilities. Denial of service attacks are a no-no.

Financially independent hackers who eschew the reward and would rather give their bounty to charity can ask Google to match the gift.