Google has announced it is to pay out research grants to security researchers seeking out potential bugs, even if they turn up empty-handed, reports ZDNet.
A new ‘experimental’ tier has been added to Google’s Security Reward Program, with grants of up to $3,133.70 available for security researchers who apply to investigate specific Google services. The Register notes that researchers who prefer to donate their grant to charity will see Google doubling the reward.
The grant is available “before research begins, with no strings attached”, but the company is limiting the program to ‘top performing’ bug reporters and ‘invited experts’. Those who meet the entry criteria will have access to three types of grants: research into newly released features and products, recently-fixed vulnerabilities and “highly sensitive services” – the likes of Google search, Gmail and the Chrome Web Store.
Writing in a post on the official Google Security Blog, engineer Eduardo Vela Nava explained the change, pitching the program as a victim of its own success: “First, researchers’ efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs. Of course, that’s good news, but it can also be discouraging when researchers invest their time and struggle to find issues.”
In total, since 2010 Google has paid out more than $4,000,000 in rewards to security researchers finding vulnerabilities in Google products and services, and in the last year they paid out $1,500,000 to more than 200 different researchers. The largest single reward was $150,000, which was paid out to a researcher who ultimately joined the company for an internship.