Google will motivate bug hunters to keep probing its products with research grants

The company seeks new ways to incentivize researchers as bugs become harder to find

Google has expanded its bug bounty programs to cover the company's official mobile applications, and is seeking to stimulate vulnerability research on particular products by offering money in advance to bug hunters.

The company launched an experimental Vulnerability Research Grants program Friday, through which it will pay researchers to look at specific categories of products regardless of whether this results in any issues being discovered.

Google's existing vulnerability reward programs that pay researchers for individual security flaws found in Chrome or the company's online services have been hailed as a great success. In 2013, the company also launched a program though which it rewards security fixes made in third-party open-source software that's deemed critical for the Internet infrastructure.

"Researchers' efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs," Google security engineer Eduardo Vela Nava said Friday in a blog post. "Of course, that's good news, but it can also be discouraging when researchers invest their time and struggle to find issues. With this in mind, today we're rolling out a new, experimental program: Vulnerability Research Grants. These are up-front awards that we will provide to researchers before they ever submit a bug."

Google has paid over US$4 million to researchers through its existing programs since 2010. In 2014 alone the company paid $1.5 million in rewards to over 200 researchers who reported more than 500 security bugs, Vela Nava said.

The highest reward for a single vulnerability was $150,000, paid to well-known researcher and PlayStation hacker George Hotz for a Chrome exploit. Hotz, known online as geohot, went on to join Google's Project Zero research team as an intern.

The new research grants will vary in size from $500 to $3,133.7 (eleet in hacker speak) and will be available for three categories of targets: newly launched services and features; services considered highly sensitive by Google and critical patches for flaws that affect multiple Google products.

Incentivizing researchers to scrutinize patches for already reported vulnerabilities is valuable and different than what other companies have done through their bug bounty programs so far. There have been many cases in the past where researchers discovered that a company's patch for a vulnerability was ineffective or didn't cover all possible attack scenarios.

The most interesting aspect of Google's new vulnerability research grants is that actually finding vulnerabilities is not mandatory.

"We decided to try something different that was also aimed at rewarding researchers' time in situations when they pentest services that are likely not to result in vulnerabilities, as we believe we also benefit from knowing about products in which finding bugs is hard," Google said in the program's description.

If vulnerabilities are found as part of a research grant, those vulnerabilities will also qualify for individual rewards through the other programs, so the grants do not replace individual bug bounties but complement them.

Furthermore, researchers who have already participated in the company's existing reward programs and received bug bounties for their findings will have a higher chance of obtaining a grant. Their applications will be prioritized over those of newcomers.

The company also extended its Vulnerability Reward Program to cover mobile applications developed by Google and distributed through Google Play and iTunes. The VRP previously covered only Google's online services and its extensions and apps for Google Chrome

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityGoogleonline safetypatchesExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?