It is well known that there are many security threats to users and computers across the Internet. Even Google has experienced hits, like the one that occurred earlier in the year. Now Google is trying to anticipate any vulnerabilities by rewarding hackers to find and report those weaknesses.
Google recently paid two $1,337 bounties for work that lets Chrome avoid critical security problems by sidestepping vulnerabilities in Windows and the widely used glibc software library. Google is serious about this. So recently, Google gave payments to people who found three high-risk vulnerabilities on the browser and one medium-risk vulnerability. A low-risk problem, brought no payment.
From the blog post, Google said this:
- “The maximum reward for a single bug has been increased to $3,133.7. We will most likely use this amout for SecSeverity-Critical bugs in Chromium. The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity.
- Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports. Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution.”
Here are some examples of security vulnerabilities that Google considers worth paying for.
Anyone who finds issues such as cross-site scripting vulnerabilities in Google properties including Google Docs, YouTube, Orkut, Blogger, and Gmail. However, at this time it doesn’t include software that runs on local computing devices such as Picasa, Android, and Sketchup. Although it may go in that direction later.
Also there are some exclusions. For example, some types of problems, such as social engineering and denial-of-service attacks aren’t eligible for rewards. And if the bug finder lives in North Korea, Cuba, Sudan, Iran, and Syria, forget it, they aren’t eligible for legal reasons.