Google expands flaw bounty to cover web app vulnerabilities
Google plans to start paying bounties to hackers who find serious security flaws in web applications that manage highly sensitive user data.
As part of what is described as an experimental new vulnerability reward program that applies to Google web properties, the search marketing giant is inviting the security research community to report potentially dangerous flaws in "any web properties which display or manage highly sensitive authenticated user data or accounts."
The company specifically called out the flagship *.google.com domain, as well as the wildly popular *.youtube.com, *.blogger.com and *.orkut.com sites.
Google said it would pay the bounty for any serious bug that "directly affects the confidentiality or integrity of user data."
These include cross-site scripting (XSS) flaws, cross-site request forgery (XSRF/CSRF), cross-site script inclusion(XSSI), bypassing authorization controls (e.g. User A can access User B's private data), and server-side code execution or command injection.