Google Brings Bug Bounty To Web Apps

Chromium's vulnerability rewards program has been extended to Google's Web properties.
Google is promising to pay people who find vulnerabilities in its Web applications.

Having seen improvements in the security of its Chromium Web browser following the launch of a bug bounty program in January, Google has decided to offer rewards to individuals who report security flaws in its Web applications.

"[W]e hope our new program will attract new researchers and the types of reports that help make our users safer," members of Google's security team said in a group blog post.

The expanded rewards program may include any Google Web property that involves the handling of sensitive user data. Possible examples include,,, and

Google isn't specifying exactly which sorts of vulnerabilities qualify for a reward. Rather it is providing general guidance. Each submission will be reviewed before Google decides whether the discovery merits a reward.

Types of vulnerabilities that Google considers reward-worthy include: XSS, XSRF/CSRF, XSSI, bypassing authorization controls, and server-side code execution or command injection.

Google says it won't pay for vulnerabilities involving attacks on Google's corporate infrastructure, social engineering and physical attacks, denial of service bugs, client vulnerabilities, SEO blackhat techniques, vulnerabilities in Google-branded Web sites hosted by third parties, or bugs in technologies that Google has recently acquired.

Google's desktop and mobile applications, such as Android, Picasa, and Google Desktop, are outside of the scope of its expanded rewards program.

The base reward is $500 and rewards may be increased at the awards panel's discretion, up to $3,133.7 for particularly clever discoveries. Google says it will provide individuals with the option to direct their reward to charity if they're not interested in receiving money.

The company says that it's unable to offer rewards to individuals in countries under U.S. sanctions or to minors.