Researchers who identify vulnerabilities in mobile applications officially developed by Google will be rewarded for their effort, the search giant announced last week.
Up until now, the Vulnerability Reward Program (VRP) covered Google-owned Web services such as google.com, youtube.com, and blogger.com, and browser apps and extensions hosted on the Chrome Web Store. Now, security experts will also be rewarded for reporting security holes in any of the mobile applications published by the company on Google Play and iTunes.
Another major addition to Google’s bug bounty program is an experimental initiative called Vulnerability Research Grants. Researchers have contributed greatly over the past years to making Google’s products secure. However, since it has become increasingly difficult to identify flaws, the company wants to ensure experts are not discouraged from analyzing Google services.
As part of the Vulnerability Research Grants program, Google will pay researchers as much as $3,133.7 up front, with no strings attached. For newly launched services, the grant amount starts at $500. Another grant category, for which the minimum amount is $1,337, targets sensitive products, such as Search, Wallet, Gmail, Inbox, Code, the App Engine, the Chrome Web Store, Admin, Developers Console, and Google Play. Researchers can also analyze recently patched vulnerabilities.
In addition to the grant money, participants will be rewarded for each of the issues they find under the VRP.
“The program is intended for our top performing, frequent vulnerability researchers as well as invited experts, and we hope it will allow us to reward the security researchers time and attention including the situations when they don’t find any vulnerabilities,” Google said.
Since the launch of its bug bounty program in 2010, the search giant has paid out a total of $4 million to researchers. Last year, the company rewarded more than 200 researchers with a total of $1.5 million for reporting more than 500 bugs.
Google’s own researchers have identified numerous vulnerabilities in the products of other vendors. The affected companies are always notified, but they are given a strict 90-day deadline before the details of the security hole are made public. This year, Google’s Zero Project disclosed flaws affecting Apple and Microsoft products just days before the vendors got a chance to release patches for them.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
