I'd like to use my last blog post of the year to sum up five vulnerabilities I found in Google Sites during the course of the year. Google Sites grew out of JotSpot, a site creation service bought by Google in 2006 and made free to use in 2008. A multi-tiered permission system and multitude of customisation options makes Sites an interesting target to investigate.

For these issues Google awarded a total of $13,034.80, making Sites the most rewarding Google property I've looked at so far. The first four vulnerabilities described here earned Google's celebrated $3133.7 bounty, the last $500.