Skip to main content

The new rewards program to encourage independent security researchers to work in order to improve Google security. Empowering Users and Administrators to Improve Security and Compliance 16 ... control company data, but via cloud-based tools and dashboards. Rather than only using .... malware and phishing, and offer rewards for finding security bugs ,google recaptcha,google captcha

Google Security Team

The new rewards program to encourage independent security researchers to work in order to improve Google security.
The new rewards program to encourage independent security researchers to work in order to improve Google security.

Back in January of this year, the Chromium open source project launched a well-received vulnerability reward program. In the months since launch, researchers reporting a wide range of great bugs have received rewards — a small summary of which can be found in the Hall of Fame. We've seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.

Today, Google US company launched its service through the cloud storage "Google Drive" a new rewards program to encourage independent security researchers to work in order to improve the security of their data cloud.

In the spirit of the original Chromium blog post, we have some information about the new program in a question and answer format below:

Q) What applications are in scope?
A) Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include:
*.google.com
*.youtube.com
*.blogger.com
*.orkut.com
For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc) are not in scope. We may expand the program in the future.

UPDATE: We also recommend reading our additional thoughts about these guidelines to help clarify what types of applications and bugs are eligible for this program.

Google Security Team

Google Security Team
Q) What classes of bug are in scope? 
A) It's difficult to provide a definitive list of vulnerabilities that will be rewarded; however, any serious bug which directly affects the confidentiality or integrity of user data may be in scope. We anticipate most rewards will be in bug categories such as:
XSS
XSRF / CSRF
XSSI (cross-site script inclusion)
Bypassing authorization controls (e.g. User A can access User B's private data)
Server side code execution or command injection
Out of concern for the availability of our services to all users, we ask you to refrain from using automated testing tools.

These categories of bugs are definitively excluded:
attacks against Google’s corporate infrastructure
social engineering and physical attacks
denial of service bugs
non-web application vulnerabilities, including vulnerabilities in client applications
SEO blackhat techniques
vulnerabilities in Google-branded websites hosted by third parties
bugs in technologies recently acquired by Google
Q) How far should I go to demonstrate a vulnerability?
A) Please, only ever target your own account or a test account. Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data.

Q) I've found a vulnerability — how do I report it?
A) Contact details are listed here. Please only use the email address given for actual vulnerabilities in Google products. Non-security bugs and queries about problems with your account should should instead be directed to the Google Help Centers.

Q) What reward might I get?
A) The base reward for qualifying bugs is $500. If the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133.7 may be issued. The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.

We understand that some researchers aren’t interested in the money, so we’d also like to give you the option to donate your reward to charity. If you do, we'll match it — subject to our discretion.

Regardless of whether you're rewarded monetarily or not, all vulnerability reporters who interact with us in a respectful, productive manner will be credited on a new vulnerability reporter page. If we file a bug internally, you'll be credited.

Superstar performers will continue to be acknowledged under the "We Thank You" section of this page.

Q) How do I find out if my bug qualified for a reward?
A) You will receive a comment to this effect in an emailed response from the Google Security Team.

Q) What if someone else also found the same bug?
A) Only the first report of a given issue that we had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.

Q) Will bugs disclosed without giving Google developers an opportunity to fix them first still qualify?
A) We believe handling vulnerabilities responsibly is a two-way street. It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered. Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release.

Q) Do I still qualify if I disclose the problem publicly once fixed?
A) Yes, absolutely! We encourage open collaboration. We will also make sure to credit you on our new vulnerability reporter page.

Q) Who determines whether a given bug is eligible?
A) Several members of the Google Security Team including Chris Evans, Neel Mehta, Adam Mein, Matt Moore, and Michal Zalewski.

Q) Are you going to list my name on a public web page?
A) Only if you want us to. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However, at your discretion, you can choose not to be listed on any credit page.

Q) No doubt you wanted to make some legal points?
A) Sure. We encourage broad participation. However, we are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. This program is also not open to minors. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Thank you for helping us to make Google's products more secure. We look forward to issuing our first reward in this new program.

Comments

Popular posts from this blog

Start Trading Cryptocurrencies with CEX.IO: A Beginner-Friendly Guide

 Start Trading Cryptocurrencies with CEX.IO : A Beginner-Friendly Guide Learn how to trade cryptocurrencies easily and securely with CEX.IO Are you interested in diving into the exciting world of cryptocurrencies? Whether you’re a beginner or a seasoned trader, CEX.IO is the perfect platform to kickstart your trading journey. What is CEX.IO ? CEX.IO is a trusted global cryptocurrency exchange that offers a user-friendly platform for trading a wide range of digital currencies. With its secure and straightforward interface, it has become a favorite among crypto enthusiasts worldwide. Why Choose CEX.IO? 1. Easy to Use: A clean and intuitive interface suitable for beginners and experts alike. 2. Top-Notch Security: Advanced measures to protect your funds and personal data. 3. Wide Range of Cryptocurrencies: Trade popular coins like Bitcoin, Ethereum, Litecoin, and more. 4. Flexible Payment Options: Deposit and withdraw using credit cards, bank transfers, and other convenient methods. 5...

The Most Expensive Car in the World: A Masterpiece on Wheels

The Most Expensive Car in the World: A Masterpiece on Wheels The Most Expensive Car in the World: A Masterpiece on Wheels Introduction Cars are more than just a mode of transportation; they represent luxury, innovation, and cutting-edge design. In the world of high-end automobiles, one model always takes the crown as the most exclusive and expensive. What is the most expensive car in the world, and what makes it worth its staggering price? 1. The History of Luxury Cars A brief overview of the evolution of luxury automobiles. Iconic brands like Rolls-Royce, Bugatti, and Ferrari that have dominated the market. 2. The Current Crown: The Most Expensive Car in 2024 A detailed description of the most expensive car currently (e.g., Bugatti La Voiture Noire or Rolls-Royce Boat Tail, depending on the latest updates). Technical and design specifications (engine, performance, aesthetics). Official price and the factors justifying it. 3. Why Is This Car So Expensive? Key elements that elevate its ...

State regulation declaring the execution of American Peter Kaseg

State regulation declaring the execution of American Peter Kaseg Broadcast organization of the Islamic state on Sunday, a video recording of the execution of the American hostage Peter Kaseg accompanied by a number of those who said they were organized by Syrian soldiers. And appeared in the registry, which was broadcast regulation and a 15-minute number of members of the organization who lead the American hostage accompanied by a number of people dressed in blue uniforms, said the organization they Syrian soldiers. Addressing the masked man US President Barack Obama, saying, "Today slaughter soldiers (Syrian President) Bashar and tomorrow We will slaughter your soldiers" and said they "Sivbhon" those in their own homes, and stressed that the organization "will break soon this last crusade" in reference to the campaign by US-led with the participation of dozens of countries and targeting state regulation sites in both Iraq and Syria. He s...