Google paid $1.5m to 'bug finders' in 2014

Single largest reward totaling up to $150,000, as it extends vulnerability reward programme to its mobile apps

Web Desk January 30, 2015

Google places researchers as a cornerstone in their relationship with the community. PHOTO: AFP

A software is only as good as the bugs its able to weed out. And sometimes you need help finding them all. This is perhaps why US internet search engine giant paid out over $1.5 million to security researchers who pointed out vulnerabilities in its open-source programmes.

According to its Security Rewards programme, it paid 200 researchers for 500 bugs found in 2014.

In a blog post, Google security engineer Eduardo Vela Nava said the internet giany had paid one researcher $150,000 in a single award for pointing out a major flaw. In addition to the big cheque, Google rewarded him by handing him an internship on its Project Zero.

From the first quarter of 2013, when active researchers on average were rewarded $1,000 every month for identifying problems, it has tripled over the past one and half years. Now, rewards average $3,000 and over per month.

Since it started the programme in 2010, Google said it had paid out more than $4 million. However, this was in part due to Google increasing the sum of the rewards.

On the flip side, it saw a gradual decline in the bugs researchers were finding in its software as its engineers doubled down on vulnerabilities.

In 2014, an active researcher reported 1.5 bugs per month, down from two bugs in 2012.

Identifying three of its top contributors, Adrian from Romania, Tomasz from Poland-UK and Nikolai (Ukraine), Google said that it receives the most bug reports from researchers in Europe followed by Asia, Africa and North America.

Vulnerability rewards expansion

In addition to the rewards paid out for its desktop based software and browsers, Google announced that it was expanding the programme to include all mobile applications officially developed by Google on Google Play (Android store) and iTunes (iOS store) will now be within the scope of the programme.

Furthermore, it rolled out vulnerability research grants which will provide researchers with tiered up-front awards of up to $3,133.70 for working on vulnerabilities on which Goolge needs support.

The award will be granted immediately before research begins, with no strings attached.