Google expands flaw bounty to cover web app vulnerabilities

Summary:Google plans to start paying bounties to hackers who find serious security flaws in web applications that manage highly sensitive user data.

Google plans to start paying bounties to hackers who find serious security flaws in web applications that manage highly sensitive user data.

As part of what is described as an experimental new vulnerability reward program that applies to Google web properties, the search marketing giant is inviting the security research community to report potentially dangerous flaws in "any web properties which display or manage highly sensitive authenticated user data or accounts."

follow Ryan Naraine on twitter

The company specifically called out the flagship *.google.com domain, as well as the wildly popular *.youtube.com, *.blogger.com and *.orkut.com sites.

Google said it would pay the bounty for any serious bug that "directly affects the confidentiality or integrity of user data."

These include cross-site scripting (XSS) flaws, cross-site request forgery (XSRF/CSRF), cross-site script inclusion(XSSI), bypassing authorization controls (e.g. User A can access User B's private data), and server-side code execution or command injection.

More information on the plan can be found in this Google blog post.
ALSO SEE:

* Image from Stevec77's Flickr photostream (Creative Commons 2.0).

Topics: Security, Browser

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.