Google distributed $1.5 million in awards in 2014 for security vulnerability disclosures, money that was spread across 200 different researchers and included disclosures on over 500 bugs in Google’s Chrome Web browser. In total, Google has paid out $4 million in bug bounties since it first began rewarding researchers in 2010.
One thing in common across all of these awards is that they were for research that was already completed. Google is now expanding its scope, by announcing plans to pay researchers for bugs before their research is actually completed. The new program, called the Vulnerability Research Grant, will pay researchers between $500 and $3,133.70.
“The program is intended for our top performing, frequent vulnerability researchers as well as invited experts, and we hope it will allow us to reward the security researchers’ time and attention including the situations when they don’t find any vulnerabilities,” Google’s documentation on the new grant explains. “If, as a result of the grant, a vulnerability is found, then it will also be eligible for a reward under our Vulnerability Reward Program.”
Research grants will only apply to technologies that Google considers to be highly sensitive services. The search giant’s list of these services includes Google Search, Google Wallet, Google Inbox, Google Code Hosting, Chrome Web Store, Google App Engine, Google Admin, Google Developers Console and Google Play.
No Bug, No Problem
Google doesn’t mind if a researcher who receives a Vulnerability Research Grant doesn’t actually find a vulnerability.
“The goal of the grants is to support research looking for vulnerabilities, so we definitely expect that often no vulnerabilities will be found,” Google stated. “Receiving a grant and not finding anything doesn’t affect your chances of receiving a new one. The information in the survey of what you looked at and the results will be valuable for us.”
Finding bugs in Google’s software has become an increasingly difficult challenge in recent years. Google published statistics on all the bugs it received in 2014, and it considered the vast majority of them to be invalid reports.
The data also reveals that Google gets the largest volume of bugs from Europe, followed by Asia. “We receive more valid reports from researchers from Africa than those from America,” Google stated.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.