Since 2010, when it began paying security researchers to find flaws in its programs, Google has paid more than US$4 million to bug hunters. Now it’s prepared to pay even more.
The company announced Friday that it’s expanding its Security Rewards Programs to include payments to researchers before they find bugs in Google’s software.
It’s also broadening the reach of its Vulnerability Reward Program to include all mobile applications officially developed by Google and distributed at the Google Play and iTunes stores.
The success of Google’s bug bounty programs contributed to the company’s decision to launch its grant program. “[R]esearchers’ efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs,” Google Security Engineer Eduardo Vela Nava explained in a company blog.
“Of course, that’s good news,” he continued, “but it can also be discouraging when researchers invest their time and struggle to find issues.”
With that in mind, Google launched the Vulnerability Research Grant program, where researchers receive upfront cash before they submit a bug to the company.
To receive a grant, bug hunters will need to submit research proposals in areas identified by Google — areas it’s interested in research beyond its normal vulnerability awards programs.
Recipients receive their awards before their research begins with no strings attached. Grant amounts will be based on a tiered structure with the maximum grant being US$3,133.70.
Why the odd number? It’s reference to 31337. Coined by a group of hackers who called themselves the Cult of the Dead Cow, it has come to mean “Eleet,” a term used to describe greatness of an individual or group.
On top of any grants awarded by Google, researchers are still eligible for regular rewards for the bugs they discover. That’s important because the size of even the maximum grant is relatively low for original research.
“A lot of high-skilled security consultants would think $3,133 is pretty paltry amount and could make that in a couple of days,” David Lindsay, a senior security product manager with Coverity, told the E-Commerce Times.
Extra Eyeballs Valuable
In expanding its bounty program to its mobile apps, Google appears to be learning from the success of others. “Properly incentivized security research has proven to be universally effective at hardening all forms of attack surfaces, and mobile apps are no exception,” observed Alex Rice, CTO of HackerOne.
“Many bug bounty programs explicitly include mobile apps with promising results and higher bounties awarded on average,” he told the E-Commerce Times.
Expansion to mobile also suggests that Google is confident in the quality of the apps it’s producing. That’s because no company wants to run a bounty program if their apps are riddled with bugs. It runs up the tab for the program or worse.
“I’ve recommended to some companies that they not do such a program because they’d reveal just how vulnerable their mobile applications are,” Coverity’s Lindsay said.
“I’m reasonably confident that Google feels its mobile applications are in good shape,” he added, “so they don’t have a lot to lose by getting extra eyeballs on it.”
An Elegant Solution
Those extra eyeballs can be a boon to those who know how to use them. In addition to helping organizations control the disclosure of security vulnerabilities before they’re used to attack their customers, Bluebox co-founder Adam Ely noted “bounty programs help security teams crowdsource testing, which can be highly beneficial.”
Google’s bounty program already had a reputation for results, so this expansion may have an impact beyond the Googleplex.
“Google’s continued investment in their extremely successful program is positive proof of the effectiveness of these programs, and their results are not unique,” HackerOne’s Rice said. “Collaborating with the highly skilled hacker community is an incredibly elegant solution for fixing inevitable security issues.”
Added Chet Wisniewski, a security advisor with Sophos, “Anytime someone is willing to embrace the security community and put some skin in the game, everyone wins — except the NSA.”