Menu
Google will motivate bug hunters to keep probing its products with research grants

Google will motivate bug hunters to keep probing its products with research grants

The company seeks new ways to incentivize researchers as bugs become harder to find

Google has expanded its bug bounty programs to cover the company's official mobile applications, and is seeking to stimulate vulnerability research on particular products by offering money in advance to bug hunters.

The company launched an experimental Vulnerability Research Grants program Friday, through which it will pay researchers to look at specific categories of products regardless of whether this results in any issues being discovered.

Google's existing vulnerability reward programs that pay researchers for individual security flaws found in Chrome or the company's online services have been hailed as a great success. In 2013, the company also launched a program though which it rewards security fixes made in third-party open-source software that's deemed critical for the Internet infrastructure.

"Researchers' efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs," Google security engineer Eduardo Vela Nava said Friday in a blog post. "Of course, that's good news, but it can also be discouraging when researchers invest their time and struggle to find issues. With this in mind, today we're rolling out a new, experimental program: Vulnerability Research Grants. These are up-front awards that we will provide to researchers before they ever submit a bug."

Google has paid over US$4 million to researchers through its existing programs since 2010. In 2014 alone the company paid $1.5 million in rewards to over 200 researchers who reported more than 500 security bugs, Vela Nava said.

The highest reward for a single vulnerability was $150,000, paid to well-known researcher and PlayStation hacker George Hotz for a Chrome exploit. Hotz, known online as geohot, went on to join Google's Project Zero research team as an intern.

The new research grants will vary in size from $500 to $3,133.7 (eleet in hacker speak) and will be available for three categories of targets: newly launched services and features; services considered highly sensitive by Google and critical patches for flaws that affect multiple Google products.

Incentivizing researchers to scrutinize patches for already reported vulnerabilities is valuable and different than what other companies have done through their bug bounty programs so far. There have been many cases in the past where researchers discovered that a company's patch for a vulnerability was ineffective or didn't cover all possible attack scenarios.

The most interesting aspect of Google's new vulnerability research grants is that actually finding vulnerabilities is not mandatory.

"We decided to try something different that was also aimed at rewarding researchers' time in situations when they pentest services that are likely not to result in vulnerabilities, as we believe we also benefit from knowing about products in which finding bugs is hard," Google said in the program's description.

If vulnerabilities are found as part of a research grant, those vulnerabilities will also qualify for individual rewards through the other programs, so the grants do not replace individual bug bounties but complement them.

Furthermore, researchers who have already participated in the company's existing reward programs and received bug bounties for their findings will have a higher chance of obtaining a grant. Their applications will be prioritized over those of newcomers.

The company also extended its Vulnerability Reward Program to cover mobile applications developed by Google and distributed through Google Play and iTunes. The VRP previously covered only Google's online services and its extensions and apps for Google Chrome

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesonline safetyGooglesecurityExploits / vulnerabilities

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments