Find A Security Bug And Get Paid By Google

The latest fashion in tech nowadays, is offering rewards to outside resources in exchange for their “hacking” skills, but Google have made it more fun.

Most recently, Google have planned to pay independent security researchers upfront to assist in finding security vulnerabilities in their products.

Now you might think this is the same as the “Security Rewards Program,”  which has been launched by Google since May 2010, but in fact it is completely different. This new program actually pays researchers money before they even begin working, and there is no penalty for not finding anything.

More to it, researchers are still entitled to receive regular financial rewards if they do happen to discover or fix a bug, but here is the catch, the program is intended for Google’s “top performing, frequent vulnerability researchers as well as invited experts“, or in simple terms, Google are only targeting Experts in Hacking.

You can say that Google are experimenting with this new program and are placing their trust in the researchers based on their fruitful history.

It’s discouraging for well known researchers to get involved with the already-present Security Rewards Program because there is no sure payment for their work, however, The grant system, called Vulnerability Research Grants, is meant to offer a better motivation to get involved with Google research, as per Google’s Online Security Blog post.


The top three contributors to the VRP program in 2014 during a recent visit to Google Zurich: Adrian (Romania), Tomasz (Poland / UK), Nikolai (Ukraine)

The awards vary between $500 to $3,133.70. The grants cover different areas of research, but mostly focusing on newly launched products. Google has posted instructions for people interested in applying for funding. Google does not know how much money will ultimately be put into the project.

Google has shelled out $4 million in rewards to researchers since the Security Rewards Program started in 2010, but in 2014 alone, they rewarded $1.5 million for bug disclosures.

As Google enhanced security research over time, they have been finding it more difficult to discover security bugs. Now this might indicate that they are doing a great job, or, they might be looking in the wrong places. This new project, in a sense, is Google’s way of inviting outside talent to help empower their safety.

The company also announced that all of its apps available on Google Play and the App Store are under the scope of the rewards program.

Google consider online security as one of their vital priorities, and not just their security. The tech giants have a dedicated initiative called Project Zero that exposes security problems in non-Google products, and notifies companies that they exist.

Project Zero has disclosed security flaws for big-name companies, such as Microsoft and Apple. Microsoft have expressed publicly that they’re are not satisfied with the results of Project Zero, claiming that it sometimes seems as if it’s more about exposing their flaws rather than helping to fix them.

Amir H. Nasr Editor-in-Chief Instagram: @amir_nasr Twitter: @AmirNasr