14 DAY TRIAL // In 2014, Google spent more than $1.5 / €1.326 million through its Security Reward Programs on security researchers reporting different bugs in software developed by the company.
The money was split between 200 different researchers who revealed over 500 security flaws in Google products.
George Hotz gets top dollar: $150,000 for breaking Chrome OS
One expert, 25-year-old George Hotz (GeoHot), however, managed to attract most attention as he received the biggest reward in 2014, $150,000 / €132,500 for an exploit that took advantage of four vulnerabilities in Chrome OS, leading to the execution of a persistent program on the system during the Google-sponsored Pwnium hacking competition.
The glitches he exploited were a memory corruption in Google Chrome's JavaScript engine, V8, a command injection in Crosh (shell in Chrome OS), one path traversal flaw in CrosDisks (responsible for mounting and unmounting file systems in Chrome OS), and a problem touching on file persistence at boot time.
As a result of the hack, Hotz was also offered an internship on Google’s Project Zero, a team of elite hackers bent on discovering zero-day vulnerabilities in software products from different vendors.
Research grants and mobile apps security rewards announced
Google security engineer Eduardo Vela Nava says in a blog post that, in the case of Chrome, most of the flaws never made it to the stable release of the browser and were eliminated in the developer and beta versions.
Along with the vulnerability expenses announcement, Nava also informs that two new security projects are kicked off. One is a research grant offered for investigating bugs and products assigned by Google, and the other is the inclusion of mobile apps officially developed by Google for Android and iOS in the Vulnerability Reward Program.
The research grants are experimental at the moment and they come with no strings attached and do not require disclosing any bug in order to receive the money (the maximum tier is $3,133.70 / €2,770). “These are up-front awards that we will provide to researchers before they ever submit a bug,” Nava says.
“We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards,” he adds. Then, the researchers carry out their investigation as usual.
Since the inception of the Security Vulnerability Program back in 2010, the search giant paid more than $4 / €3.526 million, which may be nickels and dimes for the company but it is a hefty investment in the security of its products that is not easy to match. Apart from this, Google also offers rewards outside this project.