Google has decided to reward hackers who discover security loopholes instead of attempting to punish them. In a blog posting titled “rewarding web application security research,” the company announced that anyone who reports a security flaw in a Google-owned website will be receive a reward in the form of cold, hard cash.
Earlier in the year, Google launched a similar program that offered cash rewards for discovering issues with Chromium, the code that runs the Chrome Web browser. Google commemorated those who found Chromium bugs in a Hall of Fame, which also lists cash rewards received they received up to the amount of $1337.
Now Google is expanding the range of the program and raising the stakes. Hackers are encouraged to look for breaches in any Google domain including the sites Gmail, YouTube, and Blogger – any site that holds “highly sensitive authenticated user data or accounts.” Rewards for reporting a flaw will range from $500 up to $3,1337 for a particularly serious flaw. For the moment, the program does not extend to Google client applications like Android or Picasa.
Google also hopes the program will help keep security flaws from being publicized before they can be addressed. “We believe handling vulnerabilities responsibly is a two-way street,” the company states. “It’s our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered.” Google will, however, allow hackers to disclose their achievements after the problem has been fixed.
There are also some hacking guidelines set forth by the company. Obviously, Google discourages bug hunters from searching for vulnerabilities in other users accounts and asks that hackers restrict themselves to testing their own accounts. The program also makes provisions for the philanthropic hacker, promising that it will match any reward money that ends up being donated to charity. Happy hacking!