Categories: Security

Google To Pay Up-Front For Security Research

Google has launched a new rewards programme, which it hopes will further encourage security researchers to hunt for bugs in high-profile applications and services – this time offering up-front grants of up to $3,133.70 (£2,086) with no strings attached.

Since 2010, the company has been rewarding researchers for tracking down bugs in its wares through its Security Rewards Programme, but the new Vulnerability Research Grants will pay researchers before research begins, and doesn’t depend on their finding a vulnerability.

Google said the “experimental” programme is intended to keep researchers focused on the company’s products in spite of the increasing difficulty of unearthing vulnerabilities.

“It can…be discouraging when researchers invest their time and struggle to find issues,” said Google security engineer Eduardo Vela Nava in a blog post. “These are up-front awards that we will provide to researchers before they ever submit a bug.”

Google said it plans to indicate to researchers particular types of vulnerabilities, products or services for which it wants to support security research, and those interested can apply for a grant to look into one of these areas. The company will make availalbe several tiers of grants, ranging from $500 to $3,133.70.

On top of the grant, researchers will also be eligible for bounties on any bugs they may find. If no bugs turn up, this doesn’t affect eligibility to apply for future grants, Google said.

The company said it is looking to focus research on newly launched products and services and on high-profile services such as Google Search, Google Wallet, Google Code Hosting, Google App Engine and Google Play. Google will also pay researchers who want to find ways to improve the company’s existing security patches.

Top talent only

There is a catch, however – the programme is only open to those with a proven track record in the company’s current rewards scheme as well as “invited experts”.

Google said it has paid out more than $4m to researchers since 2010 through all its rewards programmes, with $1.5m being paid last year alone to more than 200 researchers who reported more than 500 security flaws. The largest single bounty was $150,000 paid to a well-known hacker who then joined Google for an internship.

Bug-hunting has developed into a competitive business, not least because of the bad publicity that can result from the discovery of high-profile flaws. Microsoft, Facebook and Mozilla are among those who offer bug bounty programmes.

Google has recently been at odds with Microsoft after disclosing a flaw in Windows 8.1 before Microsoft could fix it.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

7 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago