Google offers web app bug-bounty

Google will start to pay researchers for flaws found in Google web applications, the company has announced.

Google will pay between $500 (£300) and $3,133.70 for qualifying bugs, the Google security team said in a blog post on Monday.

Flaws that could lead to the disclosure of sensitive data in sites such as Google, YouTube, Blogger, and Orkut could be liable for reward, said Google. Researchers should not launch denial of service or other attacks against Google infrastructure, said the company.

"Please, only ever target your own account or a test account," said the blog post. "Never attempt to access anyone else's data. Do not engage in any activity that bombards Google services with large numbers of requests or large volumes of data."

Researchers from Cuba, Iran, North Korea, Sudan and Syria will not be paid for any disclosures, as the countries are part of US sanctions lists, said Google.

The initiative follows the launch of a similar payment system Google launched for the disclosure of flaws in the Chromium web browser in January.

Security company F-Secure said in a blog post on Monday that Google's Android mobile operating system was not included in the bug-bounty programme.

"The program only covers Google's web-based properties so far, so any enterprising researchers looking for bugs in the shiny new target of the year — i.e., Android — won't get paid for it," said the company. "Still, Google has left the door open for later expansion of the program, so who knows."