Smart companies tolerate security researchers who hack their products. Smarter companies pay them for it.
Put Google in that second category. On Monday, the search giant announced on its security blog that it’s expanding its “bug bounty” program, a rewards system that offers payments of up to $3,1337 to anyone who can demonstrate a serious security vulnerability in its software. Instead of merely focusing on Chromium, the open source code behind its Chrome browser, those bounties now apply to the company’s Web application bugs, too.
Any hacker that finds an exploitable bug on a Google site that hosts “highly sensitive authenticated user data or accounts”–domains like Gmail, YouTube, Blogger or any other Google service–can tell Google about the issue privately and earn anywhere from $500 to $3,1337 for especially clever finds. (That 1337 signifies “leet”, semi-ironic hacker jargon for an “elite” practitioner of the digital dark arts.) If any researcher would rather donate their bug bounty to charity, Google is offering to match it.
On top of giving independent researchers an incentive to help eliminate vulnerabilities in Google’s code, the program may also help keep those bugs private before they’re fixed. Google’s rewards come packaged with restrictions on how the researcher can publicize his or her find. “We believe handling vulnerabilities responsibly is a two-way street,” Google’s security team writes. “It’s our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered.”
Google is far from the only bug-buyer on the market: Firefox-creator Mozilla, Verisign’s iDefense, and HP’s Zero Day Initiative all offer bounties for vulnerabilities. (Last month a twelve-year-old earned $3,000 by exposing a bug in Firefox.) But those companies pay for bugs in traditional desktop applications, not Web-based apps. Google’s program doesn’t apply to its client programs like Picasa or Android, but opens the bounty field to common Web bugs like cross-site scripting and cross-site request forgery, weak points that Web-focused security firms like White Hat Security say exist in over 80% of sites.
You can read the full terms of Google’s bounty offer here. And happy hunting.