Google is giving researchers money—up front, to find security bugs
Google's has had a "Security Rewards Program," which financially rewards
security researchers who discover Google vulnerabilities, since 2010. This new
program differs because the researchers are given the money before they even
begin working, and there's no penalty for not finding anything.
As a bonus to the grant, researchers are still eligible for regular financial rewards
ifthey do happen to disclose or fix a zeroday bug. The program is intended for
Google's "top performing, frequent vulnerability researchers as well as invited
experts," so this isn't aimed at amateur hackers. Google's treating the program as
an experiment and is placing trust in the researchers based on their track records.
It's discouraging for topnotch researchers to get involved with the already existing
Security Rewards Program because — if they find nothing — there is no
payout for their time. The grant system, called Vulnerability Research Grants, is
meant to offer a better incentive to get involved with Google research, according
to a blog post.
The awards range from $500 to $3,133.70. The grants cover different areas of
research, such as newly launched products, for example. Google has instructions
on its website for people interested in applying for funding. Google does not
know how much money will ultimately be put into the project.
Google has given $4 million in rewards to researchers since the program started
in 2010. In 2014 alone, Google doled out $1.5 million in rewards for bug
disclosures.
As Google amped up security research over time, the company found it more
difficult to discover security bugs. That could be because Google's security is
getting better — or its not looking in the right places. This new project, in a
sense, is Google's way of crowdsourcing for security help.
The company also announced that all of its apps available on Google Play and the
App Store now fall under the scope of the rewards program.
Google touts online security as one of its major priorities, and not just internally.
The tech giant has a dedicated initiative called Project Zero that exposes security
problems in nonGoogle products, then notifies companies that they exist.
0 comments:
Post a Comment