An XSS Vulnerability is Worth up to $10,000 According to Google

Category: Web Security Readings - Thu, 08 Oct 2015 - by Robert Abela

Last week Google increased the financial rewards for Google’s Web Vulnerability Program. What does this exactly means?

What is the Google Web Vulnerability Reward Program?

Internet giant Google pays up to $10,000 to whoever finds a web application vulnerability such as cross-site scripting and SQL injection in their web applications, such as Gmail, YouTube, Google Checkout, Google Wallet etc.

There are many other world renowned companies who are doing the same as Google, i.e. paying hackers that find web application vulnerabilities in their web applications. Some of these companies are Facebook, Paypal, Adobe and Mozilla.

Why Pay Hackers to find Web Application Vulnerabilities?

Web applications have become a vital part of our lives and online businesses depend on them. When you pay for a service online or check your bank accounts through an e-banking system, you are using web applications. Businesses use them to provide a service to their customers, to receive payments from their customers and also to store customer data and share it with their business partners and remote employees.

To be able to provide top quality services to their customers, businesses store sensitive data that has to be accessible via web applications. Typically such data consists of customer personal contact details, credit card numbers, social security numbers etc. To encourage more customers to use their service and gain trust, online businesses also have to ensure that their web applications are secure. As we have constantly seen in the news, businesses cannot afford to have a hacked web application because it leads to huge financial loss, tarnished reputation, and loss of customer trust. Sometimes a hack also leads to bankruptcy and business closure.

To make things worse web applications are becoming really complex and securing them is also becoming a very complex process. As we have seen in the blog post The dangerous complexity of web application security, businesses have to make sure they find all vulnerabilities and close them, while a malicious hacker only needs to find one to hack a web application.

Even though many businesses try their best to secure their web applications, malicious hackers seem to always manage to break into web applications and steal sensitive data. It didn’t take long though until online businesses such as Google learnt that by paying anyone who finds a vulnerability in their web application saves them money and most importantly of all, their business and service reputation.

Why Google Increased the Financial Rewards?

If like me you browse news websites on a daily basis, you will notice that every day some service or website is hacked and user information such as contact details and credit card numbers are leaked. Sometimes it gets even worse, like in the case of the South African Police website hack were details of thousands of whistleblowers were exposed. Such incidents became so common that most of them do not even make it to the news. And Google is no exception. With the wide range of web applications and services they host, I’m sure they have noticed an increase in web application attacks over the last couple of months. As a matter of fact, since Google launched the Web Vulnerability Reward Program in November 2010, Google already paid 250 individuals a whopping sum of $828,000.

In an effort to step up the game against malicious hacking, encourage more hackers to find web application vulnerabilities and ensure that their web applications and customers’ information are secure, Google increased the financial rewards. The financial reward for reporting a cross-site scripting vulnerability has more than doubled. Before Google used to pay up to $3,133.7 and now they are paying up to $7,500.

Is a Cross-site Scripting Vulnerability Really Dangerous?

The increase in the financial reward for reporting a cross-site scripting vulnerability is not a coincidence. Many people think that a cross-site scripting (XSS) vulnerability is not a dangerous vulnerability because by exploiting it one does not manage to retrieve data directly from the backend database as when exploiting an SQL Injection. This is just a misconception since actually one gets much more than that when exploiting a cross-site scripting vulnerability. Read our security blog post Web application security misconception – XSS is not dangerous for more information about this common misconception.

Detect Cross-site Scripting and SQL Injection Vulnerabilities in your Web Application

Like Google, is your business doing its best to find all vulnerabilities in web applications? There is no need to spend millions of dollars to ensure that your web applications and customers’ details are secure. All you need to do is scan your websites and web applications with Netsparker Web Application Security Scanner.

Netsparker is a false positive free web application security scanner that automatically detects security vulnerabilities such as cross-site scripting and SQL injection in your business websites and web applications, and it does not cost that much!

Download a trial copy of Netsparker web application security scanner today and detect vulnerabilities on your web applications that hackers can exploit.

 


Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN