Google Vulnerability Program Meets With Early Success

    November 12, 2010

Perhaps the best possible thing, from Google’s point of view, would have been if it had announced its vulnerability reward program and then heard nothing at all.  But a short while after the program’s launch, Google’s seen a response that it still characterized as "fantastic" as people have been quick to bring problems to light.

A little background info, in case you missed it: early this month, Google offered money to people who could find certain bugs related to "[a]ny Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope."  The sum would vary from $500.00 to $3,133.70 depending on the severity of the issue.

Now, a post on the Google Online Security Blog has stated, "We’ve received many high quality reports from across the globe.  Our bug review committee has been working hard, and we’re pleased to say that so far we plan to award over $20,000 to various talented researchers."

Which might translate to as many as 40 vulnerabilities (or as few as seven).

GoogleSo the program’s achieving its stated goal, at least.  And all this doesn’t necessarily mean Google’s engineers overlooked a lot.  Apparently "[t]he review committee has been somewhat generous this first week," and Google intends to be stricter about sending out checks in the future.

Lots more details are available here if you’re interested in participating in the program.