Google is giving friendly bug hunters an ego-boost.

A new page, quietly added to Google's corporate Web site last month, gives information on the security and safety of the company's Web properties. It also includes a list of people and organizations that Google wishes to thank for reporting security vulnerabilities to it.

That's a first among major Web companies, security researchers say.

"We want to thank those people for doing the right thing. I wanted to make sure we gave them lots of public 'geek cred,'" Douglas Merrill, vice president of engineering at Google, said in an interview. "The security researchers I know are partially in it for the geek credibility of it--the 'Hey! Look what I did. I am cool.'"

Traditional software makers typically use a note in their security advisories to give credit to people who find vulnerabilities in their products. But in the Web 2.0 world of online applications there are no such alerts, which are primarily meant to inform users about the security flaws and get them to install the available patch. Most of Google's services don't rely on people having its programs loaded on their desktops, so it mainly has to patch software on its own end.

"With Web-based software, e-mail alerts or bulletins do not fit the model," said Jeremiah Grossman, chief technology officer at WhiteHat Security, which specializes in Web application flaws and protection. "When a Web software company pushes security fixes, users don't have to patch." Grossman is one of the people thanked by Google on its Web site.

Full article: ZDNet