"Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope," its security team explained.
The program extends a previous campaign that rewarded researchers for discovering security flaws in its Chrome browser.
Like that vulnerability program, Google is offering payment to researchers who find a bug, however it almost doubled the upper limit for finding "unusually clever" bugs.
The base offer, as for Chrome, is US$500 while the new top reward is US$3,133, two thousand more than under Chrome.
Bugs in scope include cross-site scripting flaws, bypassing its authorisation controls and "server side ... command injection".
Not surprisingly, Google's said its own corporate infrastructure was "definitively excluded".
Other attacks it didn't want researchers to launch against it included denial of service bugs, attacks on web properties hosted by third parties, and recently acquired technologies.
Also out of scope were its client applications such as Android, Picasa and Google Desktop.