Google's Experimental Vulnerability Reward Program for Google Web Properties

Google introduces an experimental new vulnerability reward program that applies to Google web properties. Here's some info about the new program in a question and answer format:Q) What apps are in scope?A) Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples:*.google.com*.youtube.com*.blogger.com*.orkut.comQ) What classes […]

Google introduces an experimental new vulnerability reward program that applies to Google web properties. Here's some info about the new program in a question and answer format:

Q) What apps are in scope?

A) Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples:

  • *.google.com
  • *.youtube.com
  • *.blogger.com
  • *.orkut.com

Q) What classes of bug are in scope?

A) Any serious bug which directly affects confidentiality or integrity of user data. We anticipate most rewards will be in bug categories such as:

  • XSS
  • XSRF / CSRF
  • XSSI (cross-site script inclusion)
  • Bypassing authorization controls (e.g. User A can access User B's private data)
  • Server side code execution or command injection

These categories of bugs are definitively excluded:

  • attacks against Google's corporate infrastructure
  • social engineering and physical attacks
  • denial of service bugs
  • non-web app vulnerabilities, including vulnerabilities in client apps
  • SEO blackhat techniques
  • vulnerabilities in Google-branded websites hosted by 3rd parties
  • bugs in technologies recently acquired by Google

More Info: Google security and product safety

[Source]