Google Brings Bug Bounty To Web Apps

Chromium's vulnerability rewards program has been extended to Google's Web properties.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 2, 2010

2 Min Read

Google is promising to pay people who find vulnerabilities in its Web applications.

Having seen improvements in the security of its Chromium Web browser following the launch of a bug bounty program in January, Google has decided to offer rewards to individuals who report security flaws in its Web applications.

"[W]e hope our new program will attract new researchers and the types of reports that help make our users safer," members of Google's security team said in a group blog post.

The expanded rewards program may include any Google Web property that involves the handling of sensitive user data. Possible examples include,,, and

Google isn't specifying exactly which sorts of vulnerabilities qualify for a reward. Rather it is providing general guidance. Each submission will be reviewed before Google decides whether the discovery merits a reward.

Types of vulnerabilities that Google considers reward-worthy include: XSS, XSRF/CSRF, XSSI, bypassing authorization controls, and server-side code execution or command injection.

Google says it won't pay for vulnerabilities involving attacks on Google's corporate infrastructure, social engineering and physical attacks, denial of service bugs, client vulnerabilities, SEO blackhat techniques, vulnerabilities in Google-branded Web sites hosted by third parties, or bugs in technologies that Google has recently acquired.

Google's desktop and mobile applications, such as Android, Picasa, and Google Desktop, are outside of the scope of its expanded rewards program.

The base reward is $500 and rewards may be increased at the awards panel's discretion, up to $3,133.7 for particularly clever discoveries. Google says it will provide individuals with the option to direct their reward to charity if they're not interested in receiving money.

The company says that it's unable to offer rewards to individuals in countries under U.S. sanctions or to minors.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights