Google Security Team has announced a vulnerability reward program involving all Google web properties. Google says "this program will attract new researchers and the types of reports that help make our users safer."

In this program, all Google web properties which is involved with its user data or accounts may be in scope. Very popular services such as google.com, youtube.com, blogger.com, orkut.com etc falls under this. Google products such as Android, Picasa and Google Desktop are not included in this program at time.

Google-branded sites operated by external companies will not be considered under this. e.g. Google Store. Moreover bugs found in those services which has been acquired by Google within last 6 months will not be considered.

Google says that any serious bug which directly affects the confidentiality or integrity of user data may be considered as a bug. However a bug may also be come under one of these categories:

  • Cross-site scripting
  • Cross-site request forgery
  • Cross-site script inclusion
  • Flaws in user authentication or authorization mechanisms
  • Server side code execution or command injection

What rewards will be given?

The minimum cash reward for a bug is $500, up to a maximum of $3,133.7 for the most serious loopholes. However your submitted bug will be eligible if only considered valid by the Google Security Team. Regardless of whether you're rewarded monetarily or not, all vulnerability reporters who interact with us in a respectful, productive manner will be credited on the Hall of Fame.

How to report the bug?

If you believe you have discovered a vulnerability in a Google product or have a security incident to report, you can report it with details at security@google.com. With the reporting mail consider include a detailed summary of the issue, including the name of the product (e.g., Gmail) and the nature of the issue you have discovered.

Consider going through the official announcement page for more details.