After handing out more than $1.5 million in rewards to bug hunters in 2014, Google has announced a new way for security researchers to get paid — before they even find a flaw.
The Web giant has launched a new “experimental” Vulnerability Research Grants program through which researchers can earn awards before they ever submit a bug. Google said it will hand out various tiers of grants, which top out at $3,133.70.
The program works like this: Google will publish different types of vulnerabilities, products, and services for which it needs support beyond its normal vulnerability rewards. The company will award grants immediately before the research begins “no strings attached.” Winners will then pursue the research they applied for, as usual.
Google said that it’s launching the new program because researchers’ efforts, coupled with its own internal security work, are making it “increasingly difficult to find bugs.”
“Of course, that’s good news, but it can also be discouraging when researchers invest their time and struggle to find issues,” Google security engineer Eduardo Vela Nava, wrote in a blog post Friday. For current grants and eligibility requirements, check out the rules page.
Google is also expanding its existing vulnerability rewards program. All of the company’s official mobile apps available through the Play store and on iTunes are now within the scope of the program.
Meanwhile, Google said it has now paid more than $4 million in rewards to researchers since 2010. Its largest single reward last year was $150,000, and the researcher then nabbed an internship with Google. Last year, the company handed out rewards to 200 different researchers for more than 500 bugs.
“For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions,” Vela Nava said. “We were able to squash bugs before they could reach our main user population.”