Google has been paying researchers for uncovering flaws in its software since 2010. The company’s Security Rewards Program has proved so successful that it’s getting harder to find new bugs, a situation that’s forced it to review the way it rewards the work of its valued bug hunters.
In a blog post over the weekend, Google security engineer Eduardo Vela Nava said that while it’s good news that its products and services now contain fewer security flaws than ever, this means “it can also be discouraging when researchers invest their time and struggle to find issues.”
As a result, the company is launching the Vulnerability Research Grants program that allows skilled researchers to receive payments before they begin their search for bugs in Google’s software.
The company said that starting now it’ll make special requests to experts regarding the kind of research that’s required. The cash payments will run from about $500 to $3,000 per project and will be handed out “immediately before research begins, with no strings attached.”
Google also said that from now all mobile apps officially developed by Google on Google Play and iTunes will also be within the scope of the Vulnerability Reward Program.
Any researchers interested in getting involved can find out more here.
The Mountain View company said that in 2014 it paid more than 200 researchers around $1,500,000 for their work, which involved the discovery of more than 500 bugs.
“For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions [so we] were able to squash bugs before they could reach our main user population,” Vela Nava said.
The single largest reward was $150,000, made to computer whizz George Hotz after he picked apart Google Chrome’s defenses. So impressed was Google by Hotz’s work that it invited him to join an internship with Project Zero, an initiative launched last year aimed at improving the security of all software, not just Google’s.
[Source: Google]
