Google Looks Back, Forward on Security Rewards Programs

On Friday (Jan. 30), Google posted a “Year in Review, Year in Preview” report on its Security Rewards Programs.

Founded in 2010, the programs are based on Google’s stated beliefs that (1) security researchers should be rewarded for helping to protect Google’s users, and (2) researchers help the company understand how to make Google safer by discovering, disclosing, and helping fix vulnerabilities at a scale that’s difficult to replicate by any other means.

In 2014, Google rewarded more than $1,500,000, paid out to over 200 researchers, with the largest single reward being $150,000. The company also rewarded more than 500 bugs – and for Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions.

Looking ahead to 2015, Google announced two additions to its Security Rewards Programs.

The first is Vulnerability Research Grants, which are up-front awards that Google will provide to researchers before they ever submit a bug.

The program works as such: Google will publish different types of vulnerabilities, products and services for which they want to support research beyond their normal vulnerability rewards. The company will award grants immediately before research begins, with no strings attached; researchers will then pursue the research they applied for, as usual. There will be various tiers of grants, with a maximum of $3,133.70. And on top of the grant, researchers will remain eligible for regular rewards for the bugs they discover.

The second addition, which also went into effect on Jan. 30, is the implementation of all mobile applications officially developed by Google on Google Play and iTunes into the scope of the Vulnerability Reward Program.