Google is now trying crowdsource the security researchers from around the world (well, almost as the list doesn’t include countries in the banned list of US government) to find vulnerabilities in the web properties under Google. This is not something new and many providers use this approach to find vulnerabilities in their web applications and fix it before someone abuses them. Mozilla has a bounty program and Chromium project has launched one recently.
Google is inviting security researchers and hackers from around the world to check Google properties where highly sensitive user data are stored. Some of the sites include
- *.google.com
- *.youtube.com
- *.blogger.com
- *.orkut.com
Client applications like Picasa, Google Desktop, Android, etc. are not part of the program. The categories of bugs included in the program are
- XSS
- XSRF/CSRF
- XSSI
- Bypassing authentication controls
- Server side code execution or command injection
Categories of bugs that are not allowed are
- attacks against Google’s corporate infrastructure
- social engineering and physical attacks
- denial of service bugs
- non-web application vulnerabilities, including vulnerabilities in client applications
- SEO blackhat techniques
- vulnerabilities in Google-branded websites hosted by third parties
- bugs in technologies recently acquired by Google
These exclusions makes complete sense because they have a potential to disrupt the services or even compromise the corporate security.
Along with some ego boosting awards like giving credit for discovery on their properties and a Hall of Fame like web page for regular contributors, there are financial rewards available which will be distributed under their discretion. A panel consisting of Google’s own security researchers will take a call on the bugs submitted. The base award for qualifying bugs start at $500 and it goes up to $3,133.70 for severe and unusually clever bugs.
Well, by setting up this program, Google is not only tapping into the large pool of freelance security researchers and hackers but also motivating them to come to Google first before going public. Either way, the respectable way for security researchers and hackers who find bugs in web applications is to contact the provider first and give them an opportunity to fix the bug before going public. If they can get paid for that work, it is a good thing for both the researchers and the vendor. I hope all the SaaS startup vendors engage with freelance security researchers and hackers in this way. It will help them have a secure web application at a lower cost than hiring a star security team.