eBrandz Blog

Dealing with security problems, the Google way!

Google has reportedly decided to raise its bounty on tricky software bugs, which hackers look to exploit for launching cyber attacks on its services. The search engine giant has just recently marked its Vulnerability Reward Program’s anniversary, possibly among the few permanent tools of its type for protecting web properties. This proactive collaboration with the broader security research community has met with an enthusiastic and spontaneous response since its launch.

In fact, surpassing its earlier expectations, the security team has got almost 800 qualifying vulnerability reports, spanning across the hundreds of in-house services developed by the Internet giant, apart from the software created by fifty or so entities it has acquired. In just a year’s time, the Vulnerability Reward Program paid out almost $460,000 to more than 200 people in an endeavor to make the users of different Google services safer.

To underline its commitment to security and to mark the success of this collaborative effort and, Google has decided to roll out updated rules for the program, outlining new rewards for critical bugs.

A reward for qualifying vulnerabilities

A reward of $20,000 has been announced for qualifying vulnerabilities, which the reward panel decides, will permit code execution on its production systems. Another $10,000 are for SQL injection and/ or equivalent vulnerabilities; as well as for certain kinds of information disclosure/ authentication & authorization bypass bugs. One more award category is for different types of XSS, XSRF plus other high-impact flaws in sensitive applications. The new rules aim at focusing the research on fetching the practical benefits to users. An official blog post by Michal Zalewski and Adam Mein elaborates:

“They (the new rules) offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller.”

Google Authenticator app updates

Meanwhile, an enhanced Google Authenticator app has been released for mobile devices.  For record, 2-step verification was first made available by Google Security Team to all users in February of 2011. Several million users have opted for this added layer of security for protecting their respective Google Accounts. The team has updated Google Authenticator, the feature’s companion smartphone application, for all Android users.

The verification process requires users to enter a verification code while signing in via a desktop or laptop they have not marked as ‘trusted’. Many users prefer receiving their codes by voice call or SMS. Smartphone users have another option of generating codes on their devices by installing the app – an option useful when traveling, or particularly where cellular coverage is not reliable.

Google Authenticator can be used for generating a valid code even when a device is not connected to any data or cellular network. In an effort to keep verification process simpler and user friendly with easy access to verification codes from anywhere and at any time, an updated Google Authenticator app has been imparted a better look and feel apart from fundamental upgrades to the back-end security. All Google Authenticator users will be automatically directed to an upgraded version after launching the app.