Google will motivate bug hunters to keep probing its products with research grants

The company seeks new ways to incentivize researchers as bugs become harder to find

Google has expanded its bug bounty programs to cover the company's official mobile applications, and is seeking to stimulate vulnerability research on particular products by offering money in advance to bug hunters.

The company launched an experimental Vulnerability Research Grants program Friday, through which it will pay researchers to look at specific categories of products regardless of whether this results in any issues being discovered.

Google's existing vulnerability reward programs that pay researchers for individual security flaws found in Chrome or the company's online services have been hailed as a great success. In 2013, the company also launched a program though which it rewards security fixes made in third-party open-source software that's deemed critical for the Internet infrastructure.

"Researchers' efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs," Google security engineer Eduardo Vela Nava said Friday in a blog post. "Of course, that's good news, but it can also be discouraging when researchers invest their time and struggle to find issues. With this in mind, today we're rolling out a new, experimental program: Vulnerability Research Grants. These are up-front awards that we will provide to researchers before they ever submit a bug."

Google has paid over US$4 million to researchers through its existing programs since 2010. In 2014 alone the company paid $1.5 million in rewards to over 200 researchers who reported more than 500 security bugs, Vela Nava said.

The highest reward for a single vulnerability was $150,000, paid to well-known researcher and PlayStation hacker George Hotz for a Chrome exploit. Hotz, known online as geohot, went on to join Google's Project Zero research team as an intern.

The new research grants will vary in size from $500 to $3,133.7 (eleet in hacker speak) and will be available for three categories of targets: newly launched services and features; services considered highly sensitive by Google and critical patches for flaws that affect multiple Google products.

Incentivizing researchers to scrutinize patches for already reported vulnerabilities is valuable and different than what other companies have done through their bug bounty programs so far. There have been many cases in the past where researchers discovered that a company's patch for a vulnerability was ineffective or didn't cover all possible attack scenarios.

The most interesting aspect of Google's new vulnerability research grants is that actually finding vulnerabilities is not mandatory.

"We decided to try something different that was also aimed at rewarding researchers' time in situations when they pentest services that are likely not to result in vulnerabilities, as we believe we also benefit from knowing about products in which finding bugs is hard," Google said in the program's description.

If vulnerabilities are found as part of a research grant, those vulnerabilities will also qualify for individual rewards through the other programs, so the grants do not replace individual bug bounties but complement them.

Furthermore, researchers who have already participated in the company's existing reward programs and received bug bounties for their findings will have a higher chance of obtaining a grant. Their applications will be prioritized over those of newcomers.

The company also extended its Vulnerability Reward Program to cover mobile applications developed by Google and distributed through Google Play and iTunes. The VRP previously covered only Google's online services and its extensions and apps for Google Chrome

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Googleonline safetypatchesExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?