Google is willing to pay for your bug-hunting
Your application testing services may come in handy in the most unexpected moments. Google, as many other IT giants like Facebook are offering rewards per bugs you are able to locate and report back. Thus your passion for perfect software does not necessarily end after the business hours. You are free to enjoy some testing while at home and the extra practice may be even well paid if all is done right. There are multiple programs like:
- VRP or Google Vulnerability Reward program
- Chrome Reward Program
- Patch Reward Program yet it may be considered something off-topic as requires you to create actual patches
So what does a decent bug-hunter do and where should one go? Let’s deal with one thing at a time and we will begin with…
Google likes to keep their users safe, thus they are actually encouraging everybody with the ability to serve this proud goal (allowing Google to keep all your data to themselves as well as NSA sometimes) to do so and to get paid nicely as well. What are the services you are to focus here?
- Pretty much every service owned by Google, yet extra attention should go to the domains, such as
- If the app is tagged with two magical words “By Google” it will work as well
Still there are exclusions you are to remember. You may look for bugs there as well, yet you will not be paid by Google for all the foul things you will be able to locate in:
- Any third-party websites. Such pages may possess several Google-branded products or features yet they are most likely operated by the giant’s partners or vendors.
- Apps that are non-web. Chrome and Google Wallet are exceptions.
- Something that is newly acquired by Google. There is a six-month period when you won’t get a dime for a tracked bug in something that was recently not Google.
What to look out for?
- Mixed-content scripting
- Cross-site scripting
- Cross-site request forgery
- Server-side code execution bugs
- Flaws in authorization or autentification
How much may one earn? About that much.
What is most likely to be considered a non-quality vulnerability? In simple words something you will not be getting paid as well. Although you might take a shot as all of those will be reviewed depending on the particular case.
- URL redirection
- Execution of JS that is owner-supplied in Blogger
- Some vulnerabilities in “sandbox” domains regarding to cross-site scripting
- Bugs that require user interaction that is way unlikely to happen in real life
- Proxying and framing of legitimate content
- Logout cross-site request forgery
- If something occurs in outdated browsers & plugins – that is user issues
Chrome Reward Program
What to look up for with Chrome? It’s getting as easy as practically any security bug in Chrome OS or Chrome itself. As always, there are exceptions.
- The guys with cash from Google are looking for bugs that are taking place in Stable, Dev and Beta channels.
- And the same guys are interested in bugs occurring in various third-party software like Adobe Flash that Google are shipping or using and which manifest through Chrome.
Are there any rules? Sure they are. There are always rules just to spoil some fun apparently, otherwise I can’t come up with why are they still existing (I am talking about rules in general). Thus we have three of their representatives here as well:
- Only the first report of any issue that Google specialists were previously unaware of counts. Thus you are to rush in order to be #1
- Bugs you have displayed to the publicity or any third party are not doing the trick as well
- So if you actually are a fuzzer and are running on ClusterFuzz there will be no reward for you if any one of Google’s fuzzers will find the same bug within 48 hours after your report
The rewards Google’s offering:
Enjoy the knowledge and new practicing capabilities that may and will be rewarded regardless whether by Google via hard cash or with new experience and skills you have gained.