Google targets cross-site scripting by more than doubling bug bounties

The internet giant is more than doubling the bug bounty from $3,133.70 to $7,500 for finding XSS flaws in sensitive web properties, and from $1,337 to $5,000 for XSS flaws in Gmail and Google Wallet. XSS issues in “normal” Google properties will now yield $3,133.70, up from $500.

It’s also now paying $7,500 for turning in “significant” authentication bypasses or information leaks in the company’s web properties, up from $5,000.

XSS is becoming increasingly common, up more than 160% in the fourth quarter of 2012 from the previous three months, according to FireHost research. An attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. It is employed by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks; and the scripts can even rewrite the content of the HTML page.

Clearly, Google wants to encourage researchers to spend more time in that arena. “Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers,” said Google security team members Michal Zalewski and Adam Mein, in a blog post. They added, “In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories.”

The bug bounty program offers Google an invaluable way to harness the public braintrust to help it strengthen its web properties. For instance, the program allowed it to uncover and fix 17 high-risk vulnerabilities in Chrome last year, for which Google even gave $10,000 to each of three researchers as a “surprise bonus” for “sustained, extraordinary contributions” to fixing Chrome bugs.

“We have always reserved the right to arbitrarily reward sustained, extraordinary contributions. In this instance, we’re dropping a surprise bonus. We reserve the right to do so again and reserve the right to do so on a more regular basis! Chrome has a leading reputation for security and it wouldn’t be possible without the aggressive bug hunting of the wider community,” the company said at the time.

Since introducing its reward program in 2010, Google said that has received more than 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies that it’s acquired. The company has paid out $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity – Google will match the donated amount.

“For example, one of our bug finders decided to support a school project in East Africa,” Zalewski and Mein explained.

What’s Hot on Infosecurity Magazine?