Bug bounty programs are all the rage today and are increasingly becoming one of the many ways a company seeks to protect itself against security threats. Google, with its five year old initiative has been one of the foremost proponents of the same. Today, the company gave the public a peek at some of its program’s major successes in 2015.
As per a post on the company’s official blog, Google paid out an impressive $2 million to zealous researchers who discovered over 750 bugs in and around Google’s virtual properties, last year.
2015 was also significant considering the fact that Google finally brought Android into the fold with its Android VRP program. As expected, it was a hit too and security researchers and hackers received a sum total of $200K, including the single largest payment ever — $37,500 meted out to an Android security researcher.
Another change that has been very popular among security researchers and hackers is the Vulnerability Research Grant, where the person involved in exploring the flaws of Google systems are rewarded by a one time grant — even before they discover anything. The program has produced some fantastic outputs, as it attracts some of the best minds in the field. Google gives an example,
Kamil Histamullin a researcher from Kasan, Russia received a VRP grant early last year. Shortly thereafter, he found an issue in YouTube Creator Studio which would have enabled anyone to delete any video from YouTube by simply changing a parameter from the URL. After the issue was reported, our teams quickly fixed it and the researcher was was rewarded $5,000 in addition to his initial research grant.
In short, the programs have been very successful. However, that shouldn’t surprise anyone considering the large number of hackers and company, who spend their time finding out vulnerabilities that can be either exploited or exchanged for hard cash from a third party. Well, with its bug bounty program, Google has given them a chance to use their talents to do some good, receive cash and face appreciation instead of prosecution for their actions.
Here are some other success stories mentioned by Google,
Tomasz Bojarski found 70 bugs on Google in 2015, and was our most prolific researcher of the year. He found a bug in our vulnerability submission form.
You may have read about Sanmay Ved, a researcher from who was able to buy google.com for one minute on Google Domains. Our initial financial reward to Sanmay—$ 6,006.13—spelled-out Google, numerically (squint a little and you’ll see it!). We then doubled this amount when Sanmay donated his reward to charity.
Google’s example is increasingly being followed by others, with varying degrees of success. And although, we do sometimes hear of spats — as with Facebook recently — the programs have managed to provide both large corporations as well as small companies, a viable option to find out and correct bugs and loopholes in their systems.
Meanwhile, Google has promised to continue to expand its security research program. The company has already dedicated $1 million for the discovery of flaws within the Google Drive.