Wednesday, November 3, 2010

DNS – Google Rewarding Web Application Security Research

DNS – Google Rewarding Web Application Security Research




Google (News - Alert) said this week that an existing program promoting security for its open-source Chromium project has been so successful, that it’s extending it to Google Web applications.


According to a Google blog post from the company’s security team, the Chromium open source project was launched in January 2010, and it has become a well-received vulnerability reward program.

In the ensuing months, researchers reporting a wide range of great bugs have received rewards. The company has seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.

Motivated by the success, Google has announced an experimental new vulnerability reward program that applies to Google Web properties.

“We hope our new program will attract new researchers and the types of reports that help make our users safer,” according to the Google blog post.

Any Google Web properties that display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include .google.com, .YouTube (News - Alert).com, .blogger.com and .orkut.com

For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc.) are not in scope. Google may expand the program in the future.

It's difficult to provide a definitive list of vulnerabilities that will be rewarded, however, any serious bug which directly affects the confidentiality or integrity of user data may be in scope, Google says.

It anticipates most rewards will be in bug categories such as XSS, XSRF/CSRF, XSSI (cross-site script inclusion), bypassing authorization controls (e.g. user A can access user B's private data), and server side code execution or command injection.

These categories of bugs are definitively excluded: Attacks against Google’s corporate infrastructure; social engineering and physical attacks; denial of service bugs

non-web application vulnerabilities, including vulnerabilities in client applications; SEO blackhat techniques; vulnerabilities in Google-branded websites hosted by third parties; bugs in technologies recently acquired by Google

The base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133.7 may be issued. The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.



Thanks For Viewing For More News  Check Out 
Or Follow Me On Twitter At

No comments:

Post a Comment