Google’s Vulnerability Reward Program

Posted by admin on Dec 8, 2010 in Bugs, Google Vulnerability Rewards |
Google Vulnerability Research Reward

Google Vulnerability Research Reward

Some of you may have heard that Google has recently launched a new programme to encourage responsible disclosure of security bugs in their products and websites.

This scheme is called the Google Vulnerability Reward Programme. You can read more about it on Google’s security blog

The basics are that anyone finding a “relevant” bug that could compromise the serurity or privacy of Google’s customers (that’s you & me) will receive a standard amount of $500.00 and if the bug found shows flair then Google may award upto $3,133.7 (spells eleet in hacker talk).

Now most people who try to find any bugs in Google will fail as their systems are some of the most widely used in the world and they can afford to hire the best of the best when it comes to Security Bods, System Testers (called Engineers in Test at Google) and also decent coders.

So we don’t therefore expect things to be easy, however I was surprised like many others to find quite a few issues.

Obviously I can’t post any details about the issues until Google give me the go ahead. However expect some posts in the near future.

The reward programme is a great way for System / Web Testers and Penetration Testers to try out a few things and learn something along the way.

One thing I will say is that Google are getting stricter on the issues reported that count

For example

I found a bug which allowed me to execute JavaScript (XSS) on virtually any of Google’s sites.  However Google deemed that it was not really a bug as it would not really be exploitable in the wild. Meaning that you couldn’t send a link or embed the malicious code on a site and have it actioned.

I still thought it was a major issue XSS on nearly every Google domain however they think otherwise. Either way I’ll keep the method secret in case they change their minds.

So you have to find issues that are going to be exploited in the real world, and also you have to find them first.

I also found a bug on another Google site and I submitted my report and got a reply from a security engineer that someone else had already reported the same issue before me.

If your thinking what’s to stop Google accepting your submissions and then just saying we already know about that one. Well the answer is nothing. It has to be a trust thing. They trust that the reporter will not exploit the bug for their own means and keep the issue secret and the reporters have to trust that Google works on honesty and wouldn’t lie just to save a few hundred or thousand dollars.

So if you have a few hours spare and want to have a bit of fun while learning then have a go.

Remember no automated tools and only test on your own account (nothing destructive).

Try and concentrate on a particular area which ever one you are best at. For me that would be XSS while as you can see from Neal Poole’s posts. He seems to focus more on CSRF.

Good luck.

1 Comment

Neal Poole
Dec 12, 2010 at 8:18 pm

Thanks for the links back! :)

I’ve actually found some cross site scripting vulnerabilities as well: I just can’t talk about them until they’re patched! :-P

In total, I’ve submitted 11 vulnerabilities since the program started. A few statistics:
- One of those ended up being a duplicate of an internally filed bug report (so the team was already aware of it).
- One other didn’t quite qualify for a reward. It was a CSRF vulnerability in a fairly non-critical part of an application: it’s still being patched, so I can’t say anything more about it.
- I’m waiting to hear the panel’s decision on three other vulnerabilities.
- Two have been patched so far (and I’ve been paid the reward money for them).
- The rest are all in the process of being patched.

If you want to see some cool vulnerabilities that someone else has found, I’d also recommend checking out http://adblockplus.org/blog/finding-security-issues-in-a-website-or-how-to-get-paid-by-google


 

Reply

Copyright © 2012 The Test Manager Blog All rights reserved. Theme by Laptop Geek.