Google will motivate bug hunters to keep probing its products with research grants

The company seeks new ways to incentivize researchers as bugs become harder to find

Google has expanded its bug bounty programs to cover the company's official mobile applications, and is seeking to stimulate vulnerability research on particular products by offering money in advance to bug hunters.

The company launched an experimental Vulnerability Research Grants program Friday, through which it will pay researchers to look at specific categories of products regardless of whether this results in any issues being discovered.

Google's existing vulnerability reward programs that pay researchers for individual security flaws found in Chrome or the company's online services have been hailed as a great success. In 2013, the company also launched a program though which it rewards security fixes made in third-party open-source software that's deemed critical for the Internet infrastructure.

"Researchers' efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs," Google security engineer Eduardo Vela Nava said Friday in a blog post. "Of course, that's good news, but it can also be discouraging when researchers invest their time and struggle to find issues. With this in mind, today we're rolling out a new, experimental program: Vulnerability Research Grants. These are up-front awards that we will provide to researchers before they ever submit a bug."

Google has paid over US$4 million to researchers through its existing programs since 2010. In 2014 alone the company paid $1.5 million in rewards to over 200 researchers who reported more than 500 security bugs, Vela Nava said.

The highest reward for a single vulnerability was $150,000, paid to well-known researcher and PlayStation hacker George Hotz for a Chrome exploit. Hotz, known online as geohot, went on to join Google's Project Zero research team as an intern.

The new research grants will vary in size from $500 to $3,133.7 (eleet in hacker speak) and will be available for three categories of targets: newly launched services and features; services considered highly sensitive by Google and critical patches for flaws that affect multiple Google products.

Incentivizing researchers to scrutinize patches for already reported vulnerabilities is valuable and different than what other companies have done through their bug bounty programs so far. There have been many cases in the past where researchers discovered that a company's patch for a vulnerability was ineffective or didn't cover all possible attack scenarios.

The most interesting aspect of Google's new vulnerability research grants is that actually finding vulnerabilities is not mandatory.

"We decided to try something different that was also aimed at rewarding researchers' time in situations when they pentest services that are likely not to result in vulnerabilities, as we believe we also benefit from knowing about products in which finding bugs is hard," Google said in the program's description.

If vulnerabilities are found as part of a research grant, those vulnerabilities will also qualify for individual rewards through the other programs, so the grants do not replace individual bug bounties but complement them.

Furthermore, researchers who have already participated in the company's existing reward programs and received bug bounties for their findings will have a higher chance of obtaining a grant. Their applications will be prioritized over those of newcomers.

The company also extended its Vulnerability Reward Program to cover mobile applications developed by Google and distributed through Google Play and iTunes. The VRP previously covered only Google's online services and its extensions and apps for Google Chrome

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesonline safetyGooglesecurityExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?