Google To Pay Up-Front For Security Research

Google has launched a new rewards programme, which it hopes will further encourage security researchers to hunt for bugs in high-profile applications and services – this time offering up-front grants of up to $3,133.70 (£2,086) with no strings attached.

Since 2010, the company has been rewarding researchers for tracking down bugs in its wares through its Security Rewards Programme, but the new Vulnerability Research Grants will pay researchers before research begins, and doesn’t depend on their finding a vulnerability.

Google said the “experimental” programme is intended to keep researchers focused on the company’s products in spite of the increasing difficulty of unearthing vulnerabilities.

“It can…be discouraging when researchers invest their time and struggle to find issues,” said Google security engineer Eduardo Vela Nava in a blog post. “These are up-front awards that we will provide to researchers before they ever submit a bug.”

Google said it plans to indicate to researchers particular types of vulnerabilities, products or services for which it wants to support security research, and those interested can apply for a grant to look into one of these areas. The company will make availalbe several tiers of grants, ranging from $500 to $3,133.70.

On top of the grant, researchers will also be eligible for bounties on any bugs they may find. If no bugs turn up, this doesn’t affect eligibility to apply for future grants, Google said.

The company said it is looking to focus research on newly launched products and services and on high-profile services such as Google Search, Google Wallet, Google Code Hosting, Google App Engine and Google Play. Google will also pay researchers who want to find ways to improve the company’s existing security patches.

Top talent only

There is a catch, however – the programme is only open to those with a proven track record in the company’s current rewards scheme as well as “invited experts”.

Google said it has paid out more than $4m to researchers since 2010 through all its rewards programmes, with $1.5m being paid last year alone to more than 200 researchers who reported more than 500 security flaws. The largest single bounty was $150,000 paid to a well-known hacker who then joined Google for an internship.

Bug-hunting has developed into a competitive business, not least because of the bad publicity that can result from the discovery of high-profile flaws. Microsoft, Facebook and Mozilla are among those who offer bug bounty programmes.

Google has recently been at odds with Microsoft after disclosing a flaw in Windows 8.1 before Microsoft could fix it.

Are you a security pro? Try our quiz!