​After paying $4m for bugs, Google offers new grants for suspected but unproven flaws

Google will pay bug hunters regardless of whether or not they actually find anything.
Written by Liam Tung, Contributing Writer

Google has launched a new vulnerability research grants program, offering cash to top security researchers who want to investigate potential bugs - even if the flaws turn out to be nothing.

The new "experimental" Vulnerability Research Grant program adds a fourth tier to Google's Security Reward Programs. Launched in 2010, the program has paid out over $4m to researchers for finding bugs in Google's websites, its Chrome browser, and its numerous open source projects.

However, unlike with Google's other rewards, security researchers will now be able to apply for "up-front awards" to investigate an issue before they've submitted a bug. It's meant to encourage researchers who invest their time in investigating flaws but fail to find an issue.

The maximum grant available is $3,133.70, which is made available "before research begins, with no strings attached", according to Eduardo Vela Nava, a Google security engineer. Researchers will be eligible for regular rewards for bugs that they discover in the process.

The program is open to existing "top performing" bug reporters and invited experts who'll have access to three types of grants, including security research into newly-launched features and products; "highly sensitive services" such as Google search, Gmail, Inbox, and the Chrome Web Store; and recently-fixed vulnerabilities.

Google notes that receiving a grant but then not finding a bug will not affect the chances of the researcher being given a grant again in future. Google will however expect recipients to complete its survey after their research work has been completed. Researchers will also be notified by Google about which types of flaws, products, and services it's keen for them to explore.

According to Google, last year it paid out more than $1.5m to 200 different researchers for reporting bugs, with the largest single reward of $150,000 going to well-known iPhone and PlayStation hacker George Hotz for breaking the defences of Chrome OS.

After a brief stint at Facebook, Hotz left the social network company to return to hacking, and last July took up an internship with Google's Project Zero team - the group that has been at loggerheads with Microsoft over its rigid 90 day disclosure policy.

Google has also widened the scope of its Vulnerability Reward Program to include mobile apps that are developed by Google and distributed on Google Play and other channels.

Read more on this story

Editorial standards