Google is expanding its bug bounty program with the addition of an experimental grant program that pays researchers for their time, before they even discover a coding vulnerability. And, it has brought mobile app bug hunting into the initiative.
The Vulnerability Research Grants are up-front awards that are meant to encourage research participation in bug-hunting even as the effort becomes more challenging over time. There will be various tiers of grants, with a maximum of $3,133.70.
“Researchers' efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs,” said Eduardo Vela Nava, security engineer for Google, in a blog. “Of course, that's good news, but it can also be discouraging when researchers invest their time and struggle to find issues.”
Google will publish different types of vulnerabilities, products and services that are eligible for the grants, offering rewards before research begins, with no strings attached. On top of the grant, researchers are still eligible for regular rewards for the bugs they discover.
Meanwhile, all mobile applications officially developed by Google on Google Play and iTunes will now be within the scope of the Vulnerability Reward Program.
Since launching in 2010, the program has paid more than $4 million in rewards to security researchers. It paid out $1.5 million in 2014 alone, to 200 different researchers, with the largest award topping out at $150,000.
The program uncovered 500 bugs last year, too. For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions.
“We were able to squash bugs before they could reach our main user population,” Vela Nava said.
He added, “Since 2010, our Security Reward Programs have been a cornerstone of our relationship with the security research community. These programs have been successful because of two core beliefs: Security researchers should be rewarded for helping us protect Google's users; [and], researchers help us understand how to make Google safer by discovering, disclosing and helping fix vulnerabilities at a scale that’s difficult to replicate by any other means.”