Google’s Bug Bounty Program: Barbarians at the Gate

Google is offering hackers the chance to win a cash bounty if they can find vulnerabilities in the search giant’s top Web applications such as YouTube, Blogger, Gmail and Google.com. Successful Google invaders can be awarded up to $3,133.70 for their hack as well as get their name added to a Google credit Web page.

Google is only rewarding hackers who can find vulnerabilities using scripting language or injecting code onto a Web page. Attacks not included under the new program include vulnerabilities found in Android, Google desktop programs (Picasa, Google Desktop, etc.), distributed denial of service (DDoS), attacks against Google’s corporate infrastructure and gaming Google’s search algorithms.

While Google’s new security challenge shouldn’t affect regular users, it’s always good to know what’s going on. Here’s what you need to know about Google’s new bug bounty program.

Which Google Web applications can be targeted?

Google says that any Web app that “displays or manages highly sensitive authenticated user data or accounts” can be targeted. This could include many commonly used Google apps including Gmail, Google Docs, Blogger and YouTube.

Does that mean my account can be targeted?

No. Attacks against regular users to test an app’s vulnerability are forbidden. Google has directed its hacker helpers to “never attempt to access anyone else’s data.” Google also explicitly states that a hacker’s testing “must not violate any law.”

What if I feel my account is being targeted?

It’s highly unlikely that Google’s bug bounty program will cause a rise in attacks on regular users. Nevertheless, there are other hackers out there who are not high-minded enough to help Google improve its security. Google has a variety of ways to report abuse. Gmail users can flag messages as spam or phishing attempts from within their Gmail window. There are also pages to help you report other types of abuse for Google Web apps such as Google Docs, Gmail and Google Buzz.

Why is Google doing this?

Google has run a similar vulnerability program for close to a year for its Chromium Web browser open source project. Hackers are invited to find weaknesses in Chromium (the browser where new code for Google’s Chrome browser is tested), and earn a cash reward and credit for their find. The concept was inspired by a similar program run by the Mozilla Foundation (makers of the Firefox browser).

Although Google’s Web apps are not open source software, the bounty program also adheres to the philosophy of open source projects that the more eyes you have looking at something, the more likely you are to find flaws and improve it.

Why is the top bounty $3,133.70?

Hackers can be rewarded anywhere from $500 to $3,133.70 for finding a flaw in Google’s Web apps. The company doesn’t say why the top prize is such a strange number, but Google is well known for embedding geeky jokes into its products and services. The original Chromium bounty, for example, was $1,337, a nod to the code system Leet.

Leet replaces letter with numbers to let users send “secret” messages to each other. In Leet, 1337 corresponds to LEET, and 31337 would be ELEET (elite). If you’ve got any other guesses as to why Google chose $3,133.70 as its top bounty let us know in the comments.

Ultimately, Google’s Bug Bounty program should not affect regular users and may even improve security for the Google products you use every day. Not a bad idea considering Google had to deal with suspected attacks from hackers based in China this year.

Connect with Ian ( @ianpaul ) on Twitter.