Google Adds Research Grants to Bug Bounty Program

Google announced that it will offer research grants to those taking part in its Vulnerability Rewards Program. The program paid out $1.5 million in 2014.

Google last week announced that it has instituted a program for 2015 in which researchers can receive up to 3,133.70 in grant money for bug hunting.

Researchers must apply for the grants, which will be an up-front award that will be paid out before a bug is submitted, Google said.

“Researchers’ efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs,” said Eduardo Vela Nava, Google security engineer. “Of course, that’s good news, but it can also be discouraging when researchers invest their time and struggle to find issues.”

Nava said Google will identify different vulnerabilities, products and services that will fall under the program that will extend beyond its established vulnerability rewards program.

“We’ll award grants immediately before research begins, with no strings attached,” Nava said. “Researchers then pursue the research they applied for, as usual.”

Nava said research grants will be available in different tiers, topping out at $3,133.70 (hacker speak for Leet, or elite). The grant, Nava said, does not preclude a researcher from also earning a bug bounty for any vulnerabilities they find during the course of their research.

The grants are one of two changes announced for 2015; the other is the inclusion of all mobile applications developed by Google and made available on Google Play and iTunes are within scope of its Vulnerability Reward Program.

“Researchers help us understand how to make Google safer by discovering, disclosing, and helping fix vulnerabilities at a scale that’s difficult to replicate by any other means,” Nava said.

To that end, Google said it paid out more than $1.5 million in 2014, bringing the overall payouts from Google’s bounty program to over $4 million since the program started in 2010. The top payout was $150,000 to hacker George Hotz, who pocketed his prize during the Pwnium event held in conjunction with the CanSecWest conference last spring. Hotz found a persistent code execution vulnerability in the Chrome OS and was awarded Google’s top prize; he also won $50,000 during Pwn2Own for a Firefox bug.

Nava said Google rewarded 200 researchers for 500 vulnerabilities.

“For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions. We were able to squash bugs before they could reach our main user population,” Nava said.

Suggested articles