What’s the best way to find security vulnerabilities? If you ask Google, it’s paying independent researchers good money to look for security flaws. Google created the “Security Rewards Program” back in 2010, which awarded security researchers dollars for flaws found.
Now, Google is updating that program slightly making the incentive for researchers to look for and find flaws even more appealing.
The Newly Changed Program
The latest updated to the Security Rewards Program includes rewarding independent security researchers money in advance of finding any flaws. Further, the researchers will receive funds whether or not they actually find anything - not a bad gig. Any researcher that can find a zero-day bug or fix one will also be given bonus cash. Who gets to play Google research ball? The program is currently reserved for Google’s best security researchers, and for those top researchers in the security field.
What Google doesn’t want (right now) are a bunch of amateur hackers attempting to find security problems. At present, the money is reserved for well-seasoned security experts that Google trusts. The program as it now stands is currently in the development stage, which means that Google wants to see how those experienced security researchers do with the new funding before the company opens it up elsewhere or to other researchers.
So, how much can you get from Google if you are a top security researcher? The rewards range in price from $500 to more than $3000 - depending on research skills, and on some other details. Prior to the new amendment of the Google research grant, researchers had very little incentive to actually search for security flaws. No top researcher wants to spend time looking for something that they may not get paid for, which is why Google has bent the rules to include money up front and regardless of whether or not something is found.
Since the start of the original program in 2010, Google has doled out $4 million in reward dollars. It’s often hard for a company like Google to find its own security flaws, which is why it’s a good idea to hire outside experts as well as those that currently work with Google.
One of the main reasons that it’s hard for Google to find security issues on its own is that the company has gotten really excellent at security, and even finding flaws in its own system is tough (not a bad thing). But, an outside pair of eyes tends to see more than an internal pair, and that’s what google is currently banking on.
Apps Now Included
Another addition to the Google program is that the company now includes any apps found on Google Play and in the App Store as part of the reward program. If a researchers wants to work on finding security issues in either of those places, the money will flow as well.
Now that Google has found a way to entice security experts to look for and discover security flaws, the company may find a whole new flock of security professionals willing to find what ails Google. This tactic has worked well for other companies as well.