Google last year doled out more than $1.5 million to security researchers who rooted out vulnerabilities in its open-source software and web services.
The search engine giant today released a 2014 postmortem of its Security Reward Programs, which includes its Vulnerability Reward Program. The top-dollar reward of 2014 went to George Hotz, who earned a $150,000 reward from Google for finding flaws in the Chrome operating system. Hotz was later hired as an intern with the Project Zero team at Google.
Google last year awarded bug bounties for more than 500 vulnerabilities found by some 200 security researchers. "For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions," Google security engineer Eduardo Vela Nava wrote in a blog post today. "We were able to squash bugs before they could reach our main user population."
And now mobile apps are up for grabs as well: any Google-developed mobile apps on Google Play and iTunes are now part of the Vulnerability Reward Program.
Google also has rolled out an experimental research grant program to help researchers offset the cost of the increasingly more difficult task of finding serious bugs. "These are up-front awards that we will provide to researchers before they ever submit a bug," Vela Nava says.
The company will designate which types of vulnerabilities and which products and services are eligible for the grants, which could be as high as $3,133.70. "We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual," according to Vela Nava.