Quick update on our vulnerability reward program

Thursday, November 11, 2010 4:10 PM



About a week and a half ago we launched a new web vulnerability reward program, and the response has been fantastic. We've received many high quality reports from across the globe. Our bug review committee has been working hard, and we’re pleased to say that so far we plan to award over $20,000 to various talented researchers. We'll update our 'Hall of Fame' page with relevant details over the next few days.

Based on what we've received over the past week, we've clarified a few things about the program — in particular, the types of issues and Google services that are in scope for a reward. The review committee has been somewhat generous this first week, and we’ve granted a number of awards for bugs of low severity, or that wouldn’t normally fall under the conditions we originally described. Please be sure to review our original post and clarification thoroughly before reporting a potential issue to us.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

10 comments:

abel said...

THIS IS COOL

arjay said...

hope it works to me

Screws said...

This is a great idea - I hope Google does well with it. However, rewards should be related to benefits - which I am sure are somewhat more than $3,337.

Why not expand it to include suggestions of any kind, that are of benefit to Google? Improvements in Google search, new products etc. My guess is that Google would be very surprised what suggestions they might receive.

I used to send suggestions to Apple - but after they quoted from one of my emails in a new product release, but no acknowledgement or thanks to me, I stopped doing it. The features of Apples products that are suggested by users are, I believe, a significant part of the Apple 'user experience'.

Try it, Google -

Nishant said...

This initiative is well appreciated by all internet fans :)

Robin said...

Thank you for bringing this important information to me, Yes there are a bit of bug reports that i may provide to you, and one important is: serious bug which directly affects the confidentiality of my information. I will get back with you on this bug that could have seriously inpacted the loss of my life and others connected to such.
the will be a bit of research on my part but i am sure that all the information i need to bring this to you is stored in one of my hard drives.
thank you for reading.

wild thing said...

I second Screws' comment; had similar experiences as he did giving free feedback and writing free "public" blogs, only to see my IP stolen without even the courtesy of attributing theft of my intellectual property ~ my fault, of course.

But that ended my public blogging days and my free feedback / help groups management days. MSFT was right to kill MSN Groups, and no one reads Yahoo or Google Help Groups anymore ~ people simply post their "demands for help info" to them and get upset if Yahoo or Google fails to post replies.

About the Vulnerabilities program, forgive me, but I don't get the point. Very big kids who have top reputations in the networking and internet security industry work like lightening for their clients like government, industry and other large institutional accounts to share vulnerabilities asa found, and get paid far more than the $20K you're offering.

As well, most of those experts employed by large firms are barred from casual "sharing" of vulnerabilities. Their employers well know the going rates for such exceptional work ~ some might say that their employers "make the world market" in the large enterprise security consulting field and "a la carte" sort of $20K+ per report doesn't fit within their business models ~ at least, those of which I'm aware.

Insofar as the small consulting shops in vulnerability discovery / reporting who regularly appear at the annual conferences, these small but effective shops are also well ~ known to Google. They know how to approach Google in the appropriate manner, and I've little doubt they do all the time.

Forgive me, but I'm trying to amplify on my point above .. that I just don't understand whom Google is targeting with this rewards program update.

Internet SecuritT Group said...

I think this is a great program and that if many other companies did the same we would not have as many security issues as we currently experience.

Julio said...

Pena eu ñ entender nada de linguagem de programação, pois estaria disposto a ajudar, ainda mais sendo bem recompensado por isso...

Juliette said...

Thanks, Privacy is very important to me!

Club Penguin CP said...

nice work!