Researchers who identify vulnerabilities in mobile applications officially developed by Google will be rewarded for their effort, the search giant announced last week.
Up until now, the Vulnerability Reward Program (VRP) covered Google-owned Web services such as google.com, youtube.com, and blogger.com, and browser apps and extensions hosted on the Chrome Web Store. Now, security experts will also be rewarded for reporting security holes in any of the mobile applications published by the company on Google Play and iTunes.
Another major addition to Google’s bug bounty program is an experimental initiative called Vulnerability Research Grants. Researchers have contributed greatly over the past years to making Google’s products secure. However, since it has become increasingly difficult to identify flaws, the company wants to ensure experts are not discouraged from analyzing Google services.
As part of the Vulnerability Research Grants program, Google will pay researchers as much as $3,133.7 up front, with no strings attached. For newly launched services, the grant amount starts at $500. Another grant category, for which the minimum amount is $1,337, targets sensitive products, such as Search, Wallet, Gmail, Inbox, Code, the App Engine, the Chrome Web Store, Admin, Developers Console, and Google Play. Researchers can also analyze recently patched vulnerabilities.
In addition to the grant money, participants will be rewarded for each of the issues they find under the VRP.
“The program is intended for our top performing, frequent vulnerability researchers as well as invited experts, and we hope it will allow us to reward the security researchers time and attention including the situations when they don’t find any vulnerabilities,” Google said.
Since the launch of its bug bounty program in 2010, the search giant has paid out a total of $4 million to researchers. Last year, the company rewarded more than 200 researchers with a total of $1.5 million for reporting more than 500 bugs.
Google’s own researchers have identified numerous vulnerabilities in the products of other vendors. The affected companies are always notified, but they are given a strict 90-day deadline before the details of the security hole are made public. This year, Google’s Zero Project disclosed flaws affecting Apple and Microsoft products just days before the vendors got a chance to release patches for them.