For security researchers who find flaws in Internet services like Gmail, Blogger and YouTube, Google will reward $500 or more per bug. Vulnerabilities that are “severe or unusually clever” pay up to $3,133.70. Optionally, benevolent hackers can also donate their rewards to charity, in which case Google will match the winnings at its discretion.
Bug-hunting researchers will also be credited on Google’s security page.
To keep Web services running smoothly, Google is excluding bugs caused by denial of service attacks and search optimization tricks. Technologies recently acquired by Google are also off-limits.
This isn’t the first time Google has opened up security research to the masses with cash rewards. In January, the company announced a bounty program for Chromium, the open-source project behind Google’s Chrome Web browser, following the lead of Mozilla’s Firefox bounty program.
The move to Web apps, however, is an important and logical step for Google. The company is putting a lot of faith in Web apps as the future of computing, as evidenced by the upcoming Chrome OS. If users are going to store more and more sensitive information into online services, those services need to be secure.
In the future, Google may expand the program to client applications such as Android, Picasa and Google desktop. Let’s hope that happens soon; analysis firm Coverity recently found 88 high-risk defects in the Android kernel.