CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Expands Vulnerability Reward Program to Mobile Apps

Researchers who identify vulnerabilities in mobile applications officially developed by Google will be rewarded for their effort, the search giant announced last week.

Researchers who identify vulnerabilities in mobile applications officially developed by Google will be rewarded for their effort, the search giant announced last week.

Up until now, the Vulnerability Reward Program (VRP) covered Google-owned Web services such as google.com, youtube.com, and blogger.com, and browser apps and extensions hosted on the Chrome Web Store. Now, security experts will also be rewarded for reporting security holes in any of the mobile applications published by the company on Google Play and iTunes.

Another major addition to Google’s bug bounty program is an experimental initiative called Vulnerability Research Grants. Researchers have contributed greatly over the past years to making Google’s products secure. However, since it has become increasingly difficult to identify flaws, the company wants to ensure experts are not discouraged from analyzing Google services.

As part of the Vulnerability Research Grants program, Google will pay researchers as much as $3,133.7 up front, with no strings attached. For newly launched services, the grant amount starts at $500. Another grant category, for which the minimum amount is $1,337, targets sensitive products, such as Search, Wallet, Gmail, Inbox, Code, the App Engine, the Chrome Web Store, Admin, Developers Console, and Google Play. Researchers can also analyze recently patched vulnerabilities.

In addition to the grant money, participants will be rewarded for each of the issues they find under the VRP.

“The program is intended for our top performing, frequent vulnerability researchers as well as invited experts, and we hope it will allow us to reward the security researchers time and attention including the situations when they don’t find any vulnerabilities,” Google said.

Since the launch of its bug bounty program in 2010, the search giant has paid out a total of $4 million to researchers. Last year, the company rewarded more than 200 researchers with a total of $1.5 million for reporting more than 500 bugs.

Google’s own researchers have identified numerous vulnerabilities in the products of other vendors. The affected companies are always notified, but they are given a strict 90-day deadline before the details of the security hole are made public. This year, Google’s Zero Project disclosed flaws affecting Apple and Microsoft products just days before the vendors got a chance to release patches for them.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.