In the 15 months since Google began offering rewards to researchers who report vulnerabilities in its Web applications, the company has paid out more than $400,000 in bug bounties. That’s a lot of money, even for Google, and the company is counting the program as a huge success.
Google’s reward program was not the first of its kind, but because of the scope of it and the reach of the company, it has attracted quite a lot of attention in the community and a ton of submissions. In the first week of the program, Google received more than 40 legitimate submissions and it’s only gone up since then. In total, Google has taken in more than 1100 bug reports, of which 730 qualified for a reward of some kind.
“Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired; the rest were distributed across applications developed by Google (several hundred new ones each year). Significantly, the vast majority of our initial bug reporters had never filed bugs with us before we started offering monetary rewards,” Adam Mein, a technical program manager on Google’s security team, wrote in an analysis of the bug bounty program’s success.
Mein said that the company considers the program quite a success, given the number of flaws Google has been able to fix that it might not have found otherwise.
“Google has gotten better and stronger as a result of this work. We get more bug reports, which means we get more bug fixes, which means a safer experience for our users,” he said.
Mozilla, Barracuda and other software vendors have started bug bounty programs in recent years, and Microsoft has come about as close as it’s like to get anytime soon with the unveiling of its Blue Hat Prize program last year. That program is designed to pay as much as $200,000 for innovative defensive technologies, though, and doesn’t reward researchers for finding flaws in the company’s products.